Review - NIST Publishes RFI for Safety of Chemical/Biological AI Models

Today the DOC’s National Institute of Standards and Technology (NIST) published a request for information notice in the Federal Register (89 FR 80886-80887) for “Safety Considerations for Chemical and/or Biological AI Models”. According to the notice summary: “The U.S. Artificial Intelligence Safety Institute (AISI), housed within the National Institute of Standards and Technology (NIST) at the Department of Commerce, is seeking information and insights from stakeholders on current and future practices and methodologies for the responsible development and use of chemical and biological (chem-bio) AI models.”

Public Comments

NIST is soliciting public comments on these proposed questions. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # 240920-0247). Comments should be submitted by December 3^rd, 2024. Responses may inform AISI's overall approach to biosecurity evaluations and mitigations.

For more information on this request for information, including a list of the topics being addressed, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/nist-publishes-rfi-for-safety-of  - subscription required.

Transportation Chemical Incidents – Week of 8-31-24

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 523 (503 highway, 17 air, 3 rail, 0 water)

• Serious incidents – 3 (2 Bulk release, 1 evacuation, 0 injury, 0 death, 0 major artery closed, 1 fire/explosion, 26 no release)

• Largest container involved – 25,962-gal DOT 111A100W1 Railcar {Environmentally Hazardous Substances, Liquid, N.O.S.} During switching operations PRD Valve released product.

• Largest amount spilled – 200-gal IBC {Sodium Hydroxide, Solution}  During loading, a protruding piece of wood from a broken pallet punctured the IBC.

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Ammonium hydrogendifluoride, solution – Corrosive and Toxic. Ammonium bifluoride solution is the white crystalline solid dissolved in water. It is corrosive to metals and tissue. It is used in ceramics. Flammable hydrogen gas may collect in enclosed spaces. (Source: CameoChemicals.NOAA.gov).

APHIS and CDC send Bio-Toxin Final Rules to OMB

Yesterday, OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received final rules from USDA’s Animal & Plant Inspection Service (APHIS) and the CDC relating to the updating of the Select Agent and Toxin List. These are coordinated rulemakings.

APHIS Final Rule

The APHIS final rule notice is on “Agricultural Bioterrorism Protection Act of 2002; Biennial Review and Republication of the Select Agent and Toxin List”. The notice of proposed rulemaking was published on January 30^th, 2024.

According to the Spring 2024 Unified Agenda entry for this rulemaking:

“In accordance with the Agricultural Bioterrorism Protection Act of 2002, we are proposing to amend and republish the select agent and toxin lists that have the potential to pose a severe threat to animal or plant health, or to animal or plant products. The Act requires the biennial review and republication of the list of select agents and toxins and the revision of the list as necessary. This action would implement findings of biennial review of the lists. In addition, we are proposing to codify operational procedures and policies necessary to enforce the regulations. On April 8, 2022, APHIS sent tribal nations a letter outlining the provisions of the proposed rule and soliciting their feedback. On May 5, 2022, the Sac and Fox Tribe of the Mississippi in Iowa submitted a response expressing concerns regarding whether possible Brucella abortus delisting would materially adversely impact APHIS' domestic quarantine program for the control and eradication of brucellosis in cattle and bison. In response, APHIS clarified that the two issues were distinct, and no adverse operational impacts were anticipated. On June 6, 2022, the Tribe indicated that they had no further comments or concerns.”

CDC Final Rule

The CDC final rule notice is on “Possession, Use, and Transfer of Select Agents and Toxins; Biennial Review”. The notice of proposed rulemaking was published on January 30^th, 2024.

According to the Spring 2024 Unified Agenda entry for this rulemaking:

“The Bioterrorism Preparedness Act requires that the Department of Health and Human Services (HHS) Secretary review and republish the list of select agents and toxins on at least a biennial basis. This final rule concludes the biennial review and republication of the list of biological agents and toxins regulated by HHS.”

Short Takes – 10-3-24

Explainer: what is ricin? ChemistryWorld.com article. Pull quote: “Efforts are also underway to develop vaccines to protect against ricin exposure. In 2020, the US Food and Drug Agency granted a fast-track designation to Soligenix for its RiVax vaccine candidate. RiVax contains a genetically altered version of ricin’s A chain and so primes an antibody response to ricin exposure. The vaccine appears to have provided a high level of protection against ricin exposure in animal studies.”

NASA prepares for Lunar Terrain Vehicle testing. Phys.org article. Pull quote: “In April 2024, as part of the Lunar Terrain Vehicle Services contract, NASA selected three vendors—Intuitive Machines, Lunar Outpost, and Venturi Astrolab—to supply rover capabilities for use by astronauts on the lunar surface. While the test unit will never go to the moon, it will support the development of additional rover prototypes that will enable NASA and the three companies to continue making progress until one of the providers comes online.”

Alien civilizations are probably killing themselves from climate change, bleak study suggests. An interesting take on climate change. Pull quote: “In this case, the flooded house is the atmospheric temperature of a planet. A buildup of energy leakage, even from green energy, will eventually overheat any planet to the point where it is no longer habitable. If energy levels aren't curbed, this disastrous level of climate change could take less than 1,000 years from the start of energy production, the team found.”

Getting space traffic coordination on track. SpaceReview.com article. Traffic deconfliction not traffic control. Pull quote: “In the statement about the beginning of TraCSS [Traffic Coordination System for Space] phase 1.0, a Pentagon official emphasized the cooperative nature of the work between the two departments. “The Department of Defense is working side-by-side with the Department of Commerce to ensure the seamless transfer of responsibility for civil and commercial space situational awareness services and information,” said John Hill, performing the duties of associate secretary of defense for space policy.”

Class-action lawsuit filed against Georgia lab after fire released chemical plume into atmosphere. NBC26.com article. Pull quote: “On Sunday, a fire broke out on the roof of the BioLab facility in Conyers, Georgia, triggering a malfunctioning sprinkler head and causing water to interact with a water-reactive chemical housed at the plant, Rockdale County Fire Chief Marian McDaniel said. This sent a large cloud of dark smoke into the atmosphere that could be seen and even smelled for miles, with residents of both Rockdale County and neighboring communities reporting scents of strong chemicals and a heavy haze that's continued to create low visibility as far as Atlanta as of Wednesday.”

Review - HR 9412 Introduced – Healthcare Cybersecurity

Back in August, Rep Crow (D,CO) introduced HR 9412, the Healthcare Cybersecurity Act of 2024. The bill establishes requirements for: CISA-HHS coordination, CISA healthcare cybersecurity training, HHS developed sector security plans, and requires HHS to develop criteria for identifying high-risk covered assets. The bill would specifically prohibit additional funding to support these efforts.

This bill is very similar to S 4697 [removed from paywall] which was introduced in July by Sen Rosen (D,NV). That bill was considered by the Senate on July 31^st, 2024. The bill was amended and recommended reported favorably by a vote of 10 to 1 {Sen Paul (R,KY) was the dissenting vote}. That report (and the amended version) has not yet been published. Paul’s opposition almost assures that the S 4697 will not be considered by the full Senate.

Moving Forward

Neither Crow, nor his three cosponsors, are members of the House Homeland Security Committee to which this bill was assigned for primary consideration. This means that there will probably not be sufficient influence to see the bill considered in Committee. With the funding exclusion added to the bill, I see nothing that would engender any organized opposition. I suspect that there would be some level of bipartisan support for the bill were it to be considered. Whether it would be sufficient to see the bill considered under the suspension of the rules process before the Full House remains to be seen.

 

For more information on this bill and its differences from S 4697, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-9412-introduced - subscription required.

Review – 3 Advisories Published – 10-3-24

Today, CISA’s NCCIC-ICS published three control system security advisories for products from Delta Electronics, Subnet Solutions, and TEM.

Advisories

Delta Advisory - This advisory describes two SQL injection vulnerabilities in the Delta DIAEnergie industrial energy management system.

Subnet Advisory - This advisory discusses three vulnerabilities (all with publicly available exploits) in the Subnet PowerSYSTEM Center.

TEM Advisory - This advisory describes two vulnerabilities in the TEM Opera Plus FM Family Transmitter.

 

For more information on these advisories, including links to researcher reports and exploits, as well as a brief down-the-rabbit-hole look at vendor advisories, see my report at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-published-10-3-24 - subscription required.

Short Takes – 10-2-24

Department of Transportation Substantially Increases Grant Funds Supporting State Pipeline and Underground Gas Storage Safety Programs. PHMSA press release. Pull quote: “This year’s award package includes a 33 percent ($21.5 million) increase in comparison to Fiscal Year (FY) 2023 funding levels and will further enable PHMSA’s state partners to hire new pipeline inspectors, provide training, conduct pipeline inspections, and purchase and maintain equipment necessary to carry out their pipeline safety missions.”

Hazardous Materials: Notice of Hazardous Materials Transportation Seminar. Federal Register PHMSA meeting notice. Summary: “The Pipeline and Hazardous Materials Safety Administration's (PHMSA) Office of Hazardous Materials Safety (OHMS) will hold a free Hazardous Materials Transportation Seminar from October 30, 2024, through November 1, 2024, at the Hyatt Regency Indianapolis, One South Capital Avenue, Indianapolis, IN 46204. The seminar will be a three-day event with a broad focus on outreach and engagement with PHMSA's stakeholders. Targeted stakeholders include shippers, transporters, and small business particularly in underserved communities, and emergency responders.”

Securing Cities: The Fight Against Local Level Cyberthreats. DomesticPreparedness.com article. Includes a good list of ‘common vulnerabilities’. Pull quote: “In addition to defending against external threats, cybersecurity resilience also addresses the risks posed by human error and insider threats. Employees at all levels can inadvertently expose systems to vulnerabilities through actions such as clicking on phishing emails or misconfiguring security settings. However, the threat does not only come from negligence. Intentional and unintentional insider threats can be just as damaging. Disgruntled employees or others with access to sensitive systems can misuse their privileges, either out of malice or carelessness, leading to significant breaches.”

NOTE: DP also has a couple of interesting ‘flashback’ cyber security articles from Markus Rauschecker (2013) and Joe Weis (2018).

Inside HHS’ ‘one-stop shop’ for health sector cybersecurity. FederalNewsNetwork.com article. Pull quote: “One of the cyber division’s core responsibilities will be incident response, Mazanec said. When a cyber attack hits a major hospital, for instance, ASPR’s team will work with the FBI and the Cybersecurity and Infrastructure Security Agency to help respond and offer support.”

NIST Cybersecurity White Paper (CSWP) 36B Using Hardware-Enabled Security to Ensure 5G System Platform Integrity - Applying 5G Cybersecurity and Privacy Capabilities White Paper Series Available for Comment. CRSC.NIST.gov announcement. “We are pleased to announce the availability of the third white paper in the series:

“Using Hardware-Enabled Security to Ensure 5G System Platform Integrity—This publication provides an overview of employing hardware-enabled security capabilities to provision, measure, attest to, and enforce the integrity of the compute platform to foster trust in a 5G system’s server infrastructure.” Public comments due October 30^th, 2024.

Deadly Marburg virus: scientists race to test vaccines in outbreak. Nature.com article. Pull quote: “Ira Longini, a biostatistician at the University of Florida in Gainesville and MARVAC member, says that if the Rwanda outbreak continues, the plan is to trial at least one vaccine in a strategy known as ring vaccination. The approach — which showed the effectiveness of an Ebola vaccine in Guinea during the 2014–16 West African outbreak — involves immunizing contacts of an infected individual.”

Bills Introduced – 10-1-24

Yesterday, with the House and Senate meeting in pro forma session, there were 29 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 9892 To promote the use of smart technologies and systems in communities, and for other purposes. DelBene, Suzan K. [Rep.-D-WA-1] 

HR 9893 To improve dam and hydropower safety, and for other purposes. Dingell, Debbie [Rep.-D-MI-6]

I will be watching both bills for language or definitions that specifically include cybersecurity measures within the scope of the provisions of the bills.

There is one additional bill that I would like to mention in passing:

HR 9905 To make supplemental appropriations for disaster relief in response to Hurricane Helene, and for other purposes. Moskowitz, Jared [Rep.-D-FL-23]

Helene cut a major swath across the Southeast, brining major flooding and damage to areas not normally affected by hurricanes. The damage totals being bandied about are quire impressive and there are certainly questions about whether FEMA has sufficient funding to guide the recovery efforts. There is a chance that President Biden will call Congress back to Washington to provide legislative support.

This bill is the first that I have seen to specifically address those issues, but Moskowitz is not a member of the House Appropriations Committee. This makes it unlikely that this will be the bill that congress would consider. 

Principles of Operational Technology Cybersecurity Published

Yesterday, CISA, and a wide range of international partners, published “Principles of Operational Technology Cyber Security”. This relatively short (14 pages) document provides a broad overview of the important aspects of cybersecurity for Operational Technology. A shorter (2 page) ‘quick reference’ document is also available. Not a lot of detail, and that should not be expected in a 14-page document, but it provides a skeleton upon which an OT cybersecurity program could be built. One point of note, you will have to overlook many of the spelling differences (‘defences’ vs ‘defenses’ for instance), this was written in the British/Australian version of the English language.

From my point of view, Principle 6 from the Quick Reference Guide is one of the most important points made in the document:

Principle 6: People are essential for OT cyber security – People are the first line of defence. A cyber-related incident in OT cannot be prevented, defended against, identified, responded to and recovered from in a timely manner without people with the necessary tools and training looking for it, and able to competently respond to it. An investment in staff to create a collaborative team of trained and skilled people with necessary tools, supported by a mature and organisation-wide cyber-security culture, is critical to an organisation’s cyber defences.

There are no surprises here. Just solid fundamentals.

Short Takes – 10-1-24

NTSB Releases Illustrated Digest of East Palestine Investigation Report. NTSB.gov press release. Pull quote: “The National Transportation Safety Board released an illustrated digest of its investigation into the 2023 derailment of a Norfolk Southern Railway freight train carrying hazardous materials in East Palestine, Ohio. The illustrated digest serves as a companion to the NTSB’s 201-page final report, using photos and graphics to illustrate how and why the derailment occurred as well as explaining NTSB safety recommendations to prevent similar accidents in the future. While the final report remains the NTSB’s definitive publication on the derailment, the digest highlights the depth and scope of the 16-month investigation.”

A Practical Analysis of Cyber-Physical Attacks Against Nuclear Reactors. Reversemode.com blog post. Pull quote from referenced report: “While this research focused on potential cyber-physical threats to traditional nuclear power plants, it is important to consider the future of nuclear energy, particularly the development of Small Modular Reactors (SMRs). SMRs, with their enhanced safety features, reduced capital costs, and potential for deployment in remote locations, represent a promising path towards a sustainable energy future. However, as SMRs are expected to be increasingly integrated as critical infrastructures, it becomes paramount to prioritize cybersecurity considerations. The insights gained from analyzing potential issues in existing digital I&C platforms and NPP designs, may serve as valuable lessons for designing and implementing robust and resilient safety systems for SMRs, ensuring the peaceful and secure utilization of this vital energy source.”

Hezbollah pager attacks will trigger tighter security at airports, schools, and even hospitals, experts say. CyberNews.com editorial. Pull quote: “Most importantly, Tufts said “we need to understand if our modern scanning equipment would have detected this form of explosive.” Until this is determined, he said Americans should expect the US Transportation Security Administration (TSA), in charge of security at all US airports – to overcorrect. “On the whole, TSA is not going to trust any device with a cell antenna for the next 18 months,” he warned. “Lines are about to get longer.””

As Earth’s Climate Unravels, More Scientists Are Ready to Test Geoengineering. ScientificAmerican.com article. Longer read. Pull quote: “Caldeira thinks support for SRM will continue to broaden, especially if drought and famine caused by climate change—which have already begun—happen year after year and disproportionately affect poorer countries. “SRM is the only way to start cooling the Earth within a few years,” he says. “There would be mounting pressure on political leaders [in poorer affected countries] to deploy it. Or at least, they could use the threat of SRM to get more aid from wealthy countries.””

EPA Requires City of Tolleson, Ariz. to Comply with Chemical Safety Laws. EPA.gov press release. Pull quote: “Following the inspection, the City of Tolleson proactively made significant safety improvements to its facility. It also completed equipment repairs, installed safety signage, and protected its outdoor chlorine cylinders. It improved its documentation management system, completed a compliance audit, and revalidated its process hazard analysis. The Plant has returned to compliance with most deficiencies identified in the inspection report. Only two remaining tasks are due by the end of 2024, as required in the settlement agreement. These tasks include providing documentation for its chlorine storage room's ventilation system and completing all recommendations identified in its latest compliance audit.” 

TCCA Chemical Hazards

The ongoing chemical incident at the Bio-Lab facility in Conyers, GA has caused significant damage to the Bio-Lab facility (not yet fully documented in the press), the evacuation of thousands of people in the area surrounding the facility, and the on-again-off-again shelter in place for even more thousands of residents outside of the evacuation zone. The source of these problems is the chemical trichloroisocyanuric Acid (TCCA), a bleaching agent commonly used for the disinfection of swimming pools and spas. Typically sold in small quantities most people do not consider this to be a dangerous chemical.

As I noted in this morning's post, Bio-Lab has had problems in the past with safety incidents related to TCCA. The CSB’s report (pg 13) on the May 2020 incidents describes the hazards associated with TCCA:

“Trichloroisocyanuric Acid (TCCA), a chlorinating agent, is often used as a sanitizer for swimming pools and hot tubs. It is a white solid substance manufactured at the Bio-Lab facility and available as a powder, compacted tablets, and granules (Figure 2). In large bodies of water, such as pools, TCCA breaks down slowly to release hypochlorous acid (HClO), as shown in Figure 3, which kills bacteria, algae, and other microorganisms as intended. When TCCA instead comes in contact with a small amount of water, it can experience a chemical reaction causing heat generation [1, pp. 2-3] and the decomposition of the TCCA. When TCCA reacts and decomposes, it produces toxic chlorine gas [2, p. 2622] and can produce explosive nitrogen trichloride [3, p. 1]. According to the U.S. Environmental Protection Agency (EPA), “Even a small amount of water splashed on the [pool] chemical may in some cases trigger a strong reaction” [1]. Water-reactive materials may violently react, produce toxic or other hazardous gases, or evolve enough heat to cause self-ignition or ignition of nearby combustibles upon water exposure [4, pp. 400-17]. TCCA is a Class 1 oxidizer, and TCCA “[r]eacts with combustible materials, ammonia salts, or foreign substances, resulting in fire [5, pp. 49-148]. Bio-Lab’s TCCA safety data sheet (SDS) states that a fire involving TCCA should be flooded with water.”

What this means when a storage facility for a TCCA manufacturer becomes involved in an incident, is that past a certain size, the situation becomes unmanageable. If the building collapses from the affects of the fire (as has appeared to have happened this weekend) an indeterminate number of individual containers are going to become compromised. Non-flooding amounts of water are going inevitably come in contact with the exposed TCCA, starting the decomposition process all over again. Heat from the reaction in the newly damaged container will provide sufficient heat to compromise additional plastic containers that had not already been damaged. Either additional water will reach these containers, or the exotherm from nearby containers will increase the temperature to begin the decomposition process in a new site. Shifting wreckage will damage further containers. And so on and so on until all of the containers are reduced to melted plastic slag. Hopefully, that will happen before anyone starts to tear down the remains of the damaged building.

Review – 2 Advisories Published – 10-1-24

Today, CISA’s NCCIC-ICS published two control system security advisories for products from Mitsubishi Electric and Optigo Networks.

Advisories

Mitsubishi Advisory - This advisory discusses a NULL pointer dereference vulnerability in the Mitsubishi MELSEC iQ-F OPC UA Unit.

Optigo Advisory - This advisory describes two vulnerabilities in the Optigo ONS-S8 - Spectra Aggregation Switch.

 

For more information on these advisories, including links to researcher reports, and including a down-the-rabbit-hole look at generic fixes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-published-10-1-24 - subscription required.

CSB Sends Team to Conyers, GA Fire and Chlorine Release Incident

Yesterday, the Chemical Safety Board (CSB) announced that they had sent a team to investigate the major chemical fire that occurred on September 29 at the Bio-Lab facility in Conyers, GA. According to early news reports (here, here, and here) the incident started out as a minor fire on the roof of the chemical manufacturing facility, but greatly expanded when fire fighting water came into contact with a common pool chemical {trichloroisocyanuric acid (TCCA)}, initiating a chemical decomposition reaction that released chlorine gas (and oxygen, hence the reason that PHMSA classifies the chemical as an oxidizer not an inhalation hazard) into the atmosphere. The incident resulted in the evacuation of 17,000 people, the isolation of an additional 90,000 people under a shelter-in-place warning, and the closure of I 20.

The announcement reports that:

“The CSB has investigated the Bio-Lab facility [link added] in Conyers before.  In September 2020, the CSB investigated a chemical reaction and decomposition at the facility which released a plume of hazardous chemicals, including chlorine, that exposed Bio-Lab personnel and nine firefighters to dangerous fumes.  Surrounding businesses in the area were evacuated, and a portion of Interstate 20 near the facility was closed for six hours.”

The fact that the CSB has sent a team to the Conyers, GA site does not necessarily mean that the agency will conduct an official investigation that will result in formal report. Since the CSB is not a regulatory agency, there is no requirement for an investigation in every significant incident. I suspect, however, that in this case, with the wide-spread, on-going news coverage, and the significant off-site impact, that the agency will conduct a formal investigation. And, of course, it would allow them to once again hit at the EPA and OSHA for their continued failure to regulate reactive chemical hazards.

While it is late in the swimming pool season, the extensive damage caused by this incident (the news reports indicated that at least one building on site has collapsed), will be expected to have a major impact on the availability of pool/spa disinfectant chemicals into (and probably through) next year.