OMB Approves APHIS Toxin List Update Final Rule

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the USDA’s Animal and Plant Health Inspection Service (APHIS) on “Agricultural Bioterrorism Protection Act of 2002; Biennial Review and Republication of the Select Agent and Toxin List”. The advanced notice of proposed rulemaking was published on March 17^th, 2020. The notice of proposed rulemaking was published on January 30^th, 2024.

According to the Spring 2024 Unified Agenda entry for this rulemaking:

“In accordance with the Agricultural Bioterrorism Protection Act of 2002, we are proposing to amend and republish the select agent and toxin lists that have the potential to pose a severe threat to animal or plant health, or to animal or plant products. The Act requires the biennial review and republication of the list of select agents and toxins and the revision of the list as necessary. This action would implement findings of biennial review of the lists. In addition, we are proposing to codify operational procedures and policies necessary to enforce the regulations. On April 8, 2022, APHIS sent tribal nations a letter outlining the provisions of the proposed rule and soliciting their feedback. On May 5, 2022, the Sac and Fox Tribe of the Mississippi in Iowa submitted a response expressing concerns regarding whether possible Brucella abortus delisting would materially adversely impact APHIS' domestic quarantine program for the control and eradication of brucellosis in cattle and bison. In response, APHIS clarified that the two issues were distinct, and no adverse operational impacts were anticipated. On June 6, 2022, the Tribe indicated that they had no further comments or concerns.”

In January the HHS’ Center for Disease Control and Prevention (CDC) published their NPRM for a similar update of regulations and lists for select agents/toxins. These two rules are typically published in tandem and the final rules for both were sent to OIRA on October 3^rd, 2024. I suspect that we will see OIRA approve the CDC final rule early this coming week.

These are coordinated rulemakings. The APHIS rule targets the protection of animals, live stock in particular. The CDC’s rule targets the protection of humans. This means that there is some degree of overlap between the two sets of lists and regulations.

I will probably publish a single post covering both rules when they are published. 

Review – Public ICS Disclosures – Week of 11-23-24

This week we have 41 vendor disclosures from Axis (5), B&R, Dell, Dassault Systems, ELECOM, Fuji Electric, GE Vernova (19), Hitachi Energy, HPE, Mitsubishi, Palo Alto Networks, PEPPERL+FUCHS, Splunk (2), SMA Solar Technology, VMware, and Zyxel. There are also five vendor updates from ELECOM (4) and FortiGuard. We also have 21 researcher reports of vulnerabilities in products from ABB (4) and Fuji (17).

Advisories

Axis Advisory #1 - Axis published an advisory that describes an improper validation of syntactic correctness of input vulnerability in their AxisOS product.

Axis Advisory #2 - Axis published an advisory that describes an improper validation of syntactic correctness of input vulnerability in their AxisOS product.

Axis Advisory #3 - Axis published an advisory that describes an incorrect default permissions vulnerability in their Camera Station products.

Axis Advisory #4 - Axis published an advisory that describes an insufficiently protected credentials vulnerability in the Camera Station products.

Axis Advisory #5 - Axis published an advisory that describes a client-side enforcement of server-side security vulnerability in their Camera Station products.

B&R Advisory - B&R published an advisory that describes an authentication bypass using an alternate path or channel vulnerability in multiple mapp products.

Dell Advisory - Dell published an advisory that describes four vulnerabilities in their Wyse Management Suite. The first vulnerability is a third-party (MongoDB) issue.

Dassault Systems Advisory - Dassault Systems published an advisory that discusses a deserialization of untrusted data vulnerability (with publicly available exploit) in their Iterop product.

ELECOM Advisory - JP-CERT published an advisory that describes four vulnerabilities in multiple ELECOM wireless LANs.

Fuji Advisory - JP-CERT published an advisory that describes three vulnerabilities in the Fuji V-SFT, TELLUS, and V-Server products.

GE Vernova Advisories - GE Vernova (formerly Grid Solutions) published 19 advisories.

Hitachi Energy Advisory - Hitachi Energy published an advisory that discusses four vulnerabilities in their NSD570 Teleprotection Equipment.

HPE Advisory - HPE published an advisory that describes an unauthorized data modification vulnerability in their IceWall Products.

Mitsubishi Advisory - Mitsubishi published an advisory that describes three vulnerabilities in their GENESIS64TM and MC Works64 products.

Palo Alto Networks Advisory - Palo Alto Networks published an advisory that describes an improper certificate validation vulnerability (with publicly available exploit) in their GlobalProtect App.

PEPPERL+FUCHS Advisory - CERT-VDE published an advisory that discusses the PKFAIL vulnerability in multiple products from PEPPERL+FUCHS.

Splunk Advisory #1 - Splunk published an advisory that discusses three vulnerabilities (one with publicly available exploit) in their Splunk Machine Learning Toolkit.

Splunk Advisory #2 - Splunk published an advisory that discusses an exposure of sensitive information to an unauthorized actor vulnerability in their Python for Scientific Computing product.

SMA Solar Advisory - CERT-VDE published an advisory that describes an SQL injection vulnerability in SMA Sunny Central products.

VMware Advisory - Broadcom published an advisory that describes five vulnerabilities in the VMware Aria Operations product.

Zyxel Advisory - Zyxel published an advisory that discusses recent attempts to exploit a previously fixed directory traversal vulnerability in their ZLD firewall.

Updates

ELECOM Update #1 - JP-CERT published an update for the ELECOM wireless LAN router advisory that was originally published on May 28^th, 2024, and most recently updated on August 27^th, 2024.

ELECOM Update #2 - JP-CERT published an update for the ELECOM wireless LAN router advisory that was originally published on March 26^th, 2024, and most recently updated on August 27^th, 2024.

ELECOM Update #3 - JP-CERT published an update for the ELECOM wireless LAN router advisory that was originally published on August, 27^th, 2024, and most recently updated on September 9^th, 2024.

ELECOM Update #4 - JP-CERT published an update for the ELECOM wireless LAN router advisory that was originally published on March 26^th, 2024, and most recently updated on August 27^th, 2024.

FortiGuard Update - FortiGuard published an update for their missing authentication in fgfmsd advisory that was originally published on October 23^rd, 2024, and most recently updated on November 15^th, 2024.

Researcher Reports

ABB Reports - Zero Science published four reports of vulnerabilities in the ABB Cylon Aspect building energy management product.

Fuji Reports - The Zero Day Initiative published 17 reports of vulnerabilities in the Fuji Monitouch V-SFT.

 

For more information on these disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-95e - subscription required. 

Short Takes – 11-29-24

Atlantic hurricane season races to finish within range of predicted number of named storms. NOAA.gov press release. Pull quote: “The Atlantic basin saw 18 named storms in 2024 (winds of 39 mph or greater). Eleven of those were hurricanes (winds of 74 mph or greater) and five intensified to major hurricanes (winds of 111 mph or greater). Five hurricanes made landfall in the continental U.S., with two storms making landfall as major hurricanes. The Atlantic seasonal activity fell within the predicted ranges for named storms and hurricanes issued by NOAA’s Climate Prediction Center in the 2024 August Hurricane Season Outlook. An average season produces 14 named storms, seven hurricanes and three major hurricanes.”

What’s next for NASA’s giant moon rocket? TechnologyReview.com article. Pull quote: “Such a scenario could have a broad impact on NASA that reaches beyond just SLS. Scrapping the rocket could bring up wider discussions about NASA’s overall budget, currently set at $25.4 billion, the highest-funded space agency in the world. That money is used for a variety of science including astrophysics, astronomy, climate studies, and the exploration of the solar system.”

This startup is getting closer to bringing next-generation nuclear to the grid. TechnologyReview.com article. Pull quote: “The company’s molten salt is called Flibe, and it’s a specific mix of lithium fluoride and beryllium fluoride. One fun detail I learned from Laufer is that the mixture needs to be enriched in lithium-7 because that isotope absorbs fewer neutrons than lithium-6, allowing the reactor to run more efficiently. The new facility in Albuquerque will produce large quantities of high-purity Flibe enriched in lithium-7.”

The Dogs of Chernobyl Are Experiencing Rapid Evolution, Study Suggests. PopularMechanics.com article. Pull quote: “However, this study provides a template for further investigation into the effects of radiation on larger mammals, as the DNA of dogs roaming the Chernobyl Power Plant and nearby Chernobyl City can be compared to dogs living in non-irradiated areas. Despite a current lack of firm conclusions, the study has shown once again that an area that—by all rights—should be a wasteland has become an unparalleled scientific opportunity to understand radiation and its impact on natural evolution.”

The risk of a bird flu pandemic is rising. TechnologyReview.com article. Pull quote: “And once you combine that increased risk with an upcoming change in presidential administration that might leave US health agencies in the hands of a vaccine denier who promotes the consumption of raw milk, well … it’s not exactly a comforting thought.”

Management Implication Report: Cybersecurity Concerns Related to Drinking Water Systems.EPAOIR.gov report. Pull quote: “As part of our continued oversight of the EPA’s role as a sector risk management agency, passive assessment of cybersecurity vulnerabilities was conducted on drinking water systems with populations served of 50,000 people or greater. This consisted of a multilayered, passive assessment tool to scan the public-facing networks [emphasis added] of 1,062 drinking water systems across the United States. The results identified cybersecurity vulnerabilities that an attacker could exploit to degrade functionality, cause loss or denial of service, or facilitate the theft of customer or proprietary information.”

FTC finds that smart-device makers fail to make clear how long their products will be supported. TechCrunch.com article. Pull quote: “FTC staff found that 161 of the 184 products surveyed did not disclose information about the device’s support duration or end date on the manufacturers’ web pages. And when staff conducted basic internet searches to track down support duration, they didn’t find the information for 124 of the devices.”

Transportation Chemical Incidents – Week of Week of 10-26-24

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 450 (430 highway, 14 air, 5 rail, 1 water)

• Serious incidents – 3 (3 Bulk release, 1 evacuation, 0 injury, 0 death, 1 major artery closed, 0 fire/explosion, 21 no release)

• Largest container involved – 26,337-gal DOT 111S100W1 Railcar {Diesel Fuel} Leaking from the packing gland at the BOV.

• Largest amount spilled – 2,400-gal DOT 111A100W5 Railcar {Hydrochloric Acid} Hole in the bottom shell of tank car.

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: 2-Dimethylaminoethanol - A clear colorless liquid with a fishlike odor. Flash point 105°F. Less dense than water. Vapors heavier than air. Toxic oxides of nitrogen produced during combustion. Used to make other chemicals. (Source: CameoChemicals.NOAA.gov).

 

Short Takes – 11-28-24 – Federal Register Edition

Comment Request; Chemical Weapons Convention Provisions of the Export Administration Regulations. Federal Register BIS 30-day information collection request notice. Summary: “The Chemical Weapons Convention (CWC) is a multilateral arms control treaty that seeks to achieve an international ban on chemical weapons (CW). The CWC prohibits, the use, development, production, acquisition, stockpiling, retention, and direct or indirect transfer of chemical weapons. This collection implements the following export provision of the treaty in the Export Administration Regulations:” Schedule 1 notification and report and Schedule 3 End-Use Certificates. Comments due: Not listed, but should be December 29^th, 2024. Slight, unexplained, reduction in burden estimate.

Comment Request; Toxic Chemical Release Reporting (Renewal). Federal Register EPA 30-day information collection request notice. Summary: “This ICR consolidates the following final rule ICRs titled: “Rule-Related ICR Amendment; Changes to Reporting Requirements for Per- and Polyfluoroalkyl Substances; Community Right-to-Know Toxic Chemical Release Reporting, Final Rule (RIN 2070-AK97)” (OMB Control Number 2070-0225; EPA ICR Number 2724.02), “Addition of Natural Gas Processing Facilities to the Toxics Release Inventory (TRI) (Final Rule)” (OMB Control Number 2070-0206; EPA ICR Number 2560.02); and “Parent Company Definition for TRI Reporting (Final Rule)” (OMB Control Number 2070-0216; EPA ICR Numer 2597.02) into this renewal ICR. Upon OMB approval of this ICR, EPA intends to discontinue OMB Control Numbers 2070-0225, 2070-0206, and 2070-0216.” Comments Due: December 27^th, 2024.

Notice of Availability, Notice of Public Comment Period, Notice of Public Meetings, and Request for Comment on the Revised Draft Tiered Environmental Assessment for SpaceX Starship/Super Heavy Vehicle Increased Cadence at the Boca Chica Launch Site in Cameron County, Texas. Federal Register FAA public notice and request for comments. Summary: “In accordance with the National Environmental Policy Act of 1969, as amended (NEPA), Council on Environmental Quality NEPA-implementing regulations, and FAA Order 1050.1F, Environmental Impacts: Policies and Procedures, the FAA is announcing the availability of the Revised Draft Tiered Environmental Assessment for SpaceX's proposal to increase the number of launches and landings of its Starship/Super Heavy vehicle at the Boca Chica Launch Site in Cameron County, Texas (Revised Draft EA), and its intent to hold public meetings. The Revised Draft EA analyzes SpaceX's proposal to increase launch and landing cadence up to 25 annual Starship/Super Heavy orbital launches, including: up to 25 annual landings of Starship (Second stage), and up to 25 annual landings of Super Heavy (First stage). The Revised Draft EA also addresses vehicle upgrades.” Public comments due: January 17^th, 2025.

Recordkeeping and Reporting Occupational Injuries and Illnesses; Revision of the Office of Management and Budget's (OMB) Approval of Information Collection (Paperwork) Requirements. Federal Register OSHA 60-day ICR revision notice. Pull quote: “OSHA is requesting a revision the currently approved collection of information requirements contained in the paperwork package for Recordkeeping and Reporting Occupational Injuries and Illnesses (29 CFR part 1904) by OMB. This revision is incorporating the collections of information contained in the paperwork package for Improve Tracking of Injuries and Illnesses, OMB Control Number 1218-0279, with the paperwork package for Recordkeeping and Reporting Occupational Injuries and Illnesses paperwork package, OMB Control Number 1218-0176. As a result, the agency is requesting a program change increase of 112,551 hours and an adjustment decrease of 5,934 hours the burden going from 2,167,111 to 2,161,177 hours.” Comments due: January 27^th, 2024.

Short Takes – 11-27-24

CHEMICAL ENGINEER (RECENT GRADUATE). USAJOBS.gov job listing. Summary: “This position is part of the Chemical Safety and Hazard Investigation Board. The incumbent will be responsible for the chemical engineer/investigator, providing technical and analytical assistance in chemical investigations. You will serve in a trainee capacity, performing routine and recurring developmental assignments to acquire knowledge and an understanding of functions, principles, practices, and methods used in the area of Chemical Engineering.” Position closes December 5^th, 2024.

Trump signs MOU with Biden White House for next phase of transition. TheHill.com article. Pull quote: “Wiles’s [Trump chief of staff] statement did not say the transition had signed any similar document with the Justice Department to complete background checks of incoming officials, nor did it give any indication about whether Trump’s team would release an ethics agreement about resolving conflicts of interest.”

Review: Waiting for Spaceships. TheSpaceReview.com book review. Pull quote: “Huetter documents that experience in photos he took while at the base for seven shuttle landings from 1982 to 1989. People arrived early, driving everything from RVs to small cars, camping out and doing things you might expect to see from visitors in a state park: barbequing, sunbathing, and chatting with their neighbors. Canteens were available where you could by $2 pancakes and $1 beer. The one thing that perhaps made clear this was a space event and not a giant campout was the large number of souvenir vendors, selling shuttle-themed caps, t-shirts, photos, and more.” I was on hand for the return of STS 26 in October of 1988, along with 425,000 of my closest friends (GRIN).

Review - CISA Provides Chemical Sector Specific Goals for Cybersecurity

Last week the Cybersecurity and Infrastructure Security Agency (CISA) announced that they had released Sector-Specific Goals (SSGs) for the Chemical Sector. The brief document provides a broad description of three voluntary cybersecurity related goals for the chemical sector. A link to a restricted page dealing with Cross-sector Cybersecurity Performance Goals is provided.

The three SSGs for the Chemical Sector are:

Chem.1 - System Lifecycle Management,

Chem.2 - Disable unnecessary systems, applications, and services, and

Chem.3 - Mobile Device Management

Commentary

What is missing from this ‘new’ cybersecurity management tool is an explanation of why these three goals are tailored specifically to the chemical sector. For example, there is no mention in any of these three goals about the relationship between cybersecurity and process safety, a key concern for the chemical sector. Any cybersecurity program for this sector that does not address that linkage is going to fail to prioritize cybersecurity processes tied to potentially catastrophic outcomes from successful attacks.

 

For a more detailed look at the three goals and the supporting information provided by CISA, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisa-provides-chemical-sector-specific - subscription required.

OMB Approved DOC ICTS Supply Chain Security Final Rule

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the Department of Commerce on “Securing the Information and Communications Technology and Services Supply Chain”. The notice of proposed rulemaking was published on November 27^th, 2019. An interim final rule (IFR) was published on January 19^th, 2021.

According to the Spring 2024 Unified Agenda entry for this rulemaking:

“Pursuant to Executive Order 13873 [link added] of May 15,2019,"Securing the Information and Communications Technology and Services Supply Chain” and Executive Order 14034 [link added] of June 9, 2021, Protecting Americans' Sensitive Data From Foreign Adversaries,” the Department of Commerce is finalizing the rule that sets forth the process and procedures that the Secretary of Commerce will use to identify, assess, and address transactions that pose an undue risk to the security, integrity, and reliability of information and communications technology and services provided and used in the United States.”

With a probable effective date well after Trumps inauguration in January, the new administration will be able to effectively kill this final rule with an executive order (the underlying IFR would take a new rulemaking to undo). While the rulemaking was initiated under Trumnp 45, the Biden Administration put their stamp on the rulemaking, so it is unclear whether the new administration would let this rule stand.

I will probably not be covering the publication of this final rule in any detail. I will, however, note its publication in the appropriate Short Takes post.

Short Takes – 11-26-24

Bird flu has been detected in raw milk in California. TheHill.com article. Pull quote: “The virus was found in a batch of cream top, whole raw milk produced and packaged at Raw Farm LLC after a public health laboratory purchased it at a retail outlet [emphasis added] for testing.”

Bird flu strikes 1st child in the US. CDC says infection source unknown. LiveScience.com article. More information than earlier article. Pull quote: “In the child's case, they initially tested positive for low levels of the H5N1 virus. Several days later, their results came back negative for H5N1 but positive for other common respiratory viruses. The child's symptoms were mild, similar to those seen with the other H5N1 cases reported in the U.S. so far. The CDPH also noted that many of the child's flu-like symptoms could have resulted from their concurrent viral infections.” Ties to raw milk incident investigated.

Squirting Cucumbers Shoot Their Seeds Like Botanical Bombardiers. NYTimes.com article (free). Pull quote: “The researchers also calculated the pressure within the cucumber and found that it’s similar to that of an inflated mountain bike tire, Dr. Box said. Using that and other data they collected on the plant, the researchers worked out the math behind the dispersal of seeds. That allowed them to simulate how hypothetical mutant plants would spread differently.”  Great Video - https://vp.nyt.com/video/2024/11/25/130107_1_25tb-squirting-cucumbers-16086_wg_1080p.mp4

The engine of Japan's flagship new small rocket explodes during a test for a second time. Phys.org article. Pull quote: “"Development of flagship rockets such as Epsilon S is extremely important from the perspective of ensuring autonomy of Japan's space development," Hayashi told reporters. "JAXA will thoroughly investigate and take steps."”

The search for a commercial lunar economy. TheSpaceReview.com article. Pull quote: “Those [decadal] timelines pose challenges for companies with private investors who want returns in several years, not several decades. That means companies like Intuitive Machines will, for now, look to government customers who have requirements linked to science and national prestige to motivate spending billions on lunar missions and enabling infrastructure. Intuitive Machines won a NASA contract in September worth as much as $4.8 billion over ten years to provide lunar communications services, funding a five-satellite network that could potentially be used by other customers as well as NASA.” Hard to see standalone commercial development until some level of infrastructure is developed.

Trump team barred from agencies amid legal standoff. Politico.com article. Pull quote: “Watchdog groups, ethics experts and former government officials say the delay in coordination with federal agencies, which typically begins by mid-November, means the new administration won’t be up to speed on the state of the career workforce and budget and what headaches may await them when Trump takes the oath of office on Jan. 20. The failure thus far to sign the memorandums has also troubled Biden officials, who are particularly concerned about the potential national security implications.”

Notice of Meeting; Homeland Security Advisory Council. Federal Register DHS meeting notice. Summary: “OPE is publishing this notice of a [closed to the public] meeting of the Homeland Security Advisory Council (HSAC). This meeting will discuss security related threats and DHS operations post-election.”

Proposed Collection, and Comment Request; Terrorism Risk Insurance Program-Data Collection Forms. Federal Register Treasury information collection request 60-day renewal notice. Summary: “The Secretary of the Treasury (Secretary) administers the Terrorism Risk Insurance Program (TRIP or Program), including the issuance of regulations and procedures regarding the Program. The Federal Insurance Office (FIO) assists the Secretary in the administration of the Program. The Department of the Treasury (Treasury), as part of its continuing effort to reduce paperwork burdens, invites the general public and other Federal agencies to comment on approved information collections for annual data collection that are due for extension by the Office of Management and Budget (OMB) (currently approved under OMB 1505-0257). These forms will be utilized, beginning in calendar year 2025, in connection with both the federal and state annual data calls regarding terrorism risk insurance. State insurance regulators, through the National Association of Insurance Commissioners (NAIC), will separately address any comments sought or made in connection with the state data call.” Minor burden estimate changes based upon 2024 call data. Comments due: January 27^th, 2025.

Review – Siemens Publishes Out-of-Zone Update – 11-26-24

Today, Siemens announced that it had published an update for their Mendix Runtime advisory. For the last few years Siemens has routinely published their advisories and updates on Cyber Tuesday (2^nd Tuesday of the month).

Updates

Siemens Update - This update provides additional information on the Mendix Runtime advisory that was originally published on September 10^th, 2024, and most recently updated on November 12^th, 2024.

 

For more information on this advisory, including a down-the-rabbit-hole look at the reported fix, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/siemens-publishes-out-of-zone-update - subscription required.

Review – 5 Advisories and 1 Update Published – 11-26-24

Today, CISA’s NCCIC-ICS published five control system security advisories for products from Hitachi Energy and Schneider Electric. They also published an update for a medical device security advisory for products from Philips.

Advisories

Hitachi Energy Advisory #1 - This advisory describes an improper input validation vulnerability in the Hitachi Energy RTU500 series products.

Hitachi Energy Advisory #2 - This advisory describes five vulnerabilities in the Hitachi Energy MicroSCADA Pro.

Schneider Advisory #1 - This advisory describes three vulnerabilities in multiple Schneider products.

Schneider Advisory #2 - This advisory describes the use of a broken or risky cryptographic algorithm in the Schneider owerLogic P5 product.

Schneider Advisory #3 - This advisory describes two vulnerabilities in the Schneider PowerLogic PM5500 and PowerLogic PM8ECC products.

Updates

Philips Update - This update provides additional information on the Vue PACS advisory that was originally published on July 18^th, 2024.

 

For more information on these advisories, including when vendors released and updated their versions of these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-1-update-published-abe - subscription required.

Short Takes – 11-25-24

Blue Origin's New Glenn rocket goes vertical on the launch pad. Phys.org article. Pull quote: “Jeff Bezos' rocket company is using the first flight of New Glenn to fly up and test the company's Blue Ring hardware, which is used to deliver payloads to their proper place in orbit once deployed. It will also be the first of two required flights to get certification by the Space Force to fly national security missions.”

Notice of the Renewal of the Critical Infrastructure Partnership Advisory Council Charter. Federal Register CISA advisory committee renewal notice. Summary: “On September 9, 2024, the Secretary of the Department of Homeland Security approved the renewal of the Critical Infrastructure Partnership Advisory Council (CIPAC) Charter. Through this notice, the Department is making the renewed CIPAC Charter publicly available and highlighting updated information and guidelines that have been included in the renewed charter.”

Sunshine Act Meeting (NTSB). Federal Register NTSB meeting notice. Agenda: “Pipeline Investigation Report—UGI Utilities Inc. Natural Gas Pipeline Explosion and Fire, West Reading, Pennsylvania, March 24, 2023”

BIS Sends Australia Group Final Rule to OMB

On Friday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the DOC’s Bureau of Industry and Security (BIS) on “Implementation of Certain Australia Group Decisions”. This rulemaking was not included in the Spring 2024 Unified Agenda.

The Australia Group is an ‘informal’ group of 42 countries that “coordinate their national export controls to limit the supply of chemicals and biological agents-as well as related equipment, technologies, and knowledge-to countries and nonstate entities suspected of pursuing chemical or biological weapons (CBW) capabilities.” 

Short Takes – 11-23-24

Underwater volcano-like structure is spewing gas off Alaska's coast, US Coast Guard says. LiveScience.com article. Pull quote: “The structure may be spewing gas, based on data collected from the water above it, but the scientists still aren't certain. Whether the structure turns out to be a volcano or not, it is 5,250 feet (1,600 m) deep at its shallowest point, meaning it poses no risk to navigation, according to a statement.”

Eggs are getting scarcer and pricier ahead of the holidays. Here's why. CSBNews.com article. Pull quote: “After a brief respite from bird flu among commercial-egg producers, HPAI struck again starting in mid-October, resulting in the loss of 2.8 million birds. The nation's egg production fell 2.6% last month from a year ago and is projected to be down 1% this year versus 2023, the U.S. Department of Agriculture's Economic Research Service recently said in a monthly report.”

California Case Is the First Confirmed Bird Flu Infection in a U.S. Child. MedPageToday.com article. Pull quote: “Officials said they were investigating how the child was infected. California health officials previously said in a statement that they were looking into a "possible exposure to wild birds."”

The ISS has been leaking air for 5 years, and engineers still don’t know why. Arstechnica.com article. Pull quote: “"The Russians believe that continued operations are safe, but they can't prove to our satisfaction that they are," said Cabana, who was the senior civil servant at NASA until his retirement in 2023. "And the US believes that it's not safe, but we can't prove that to the Russian satisfaction that that's the case.” 

CSB Publishes Bio-Lab Investigation Update – 11-23-24

Yesterday the Chemical Safety Board announced the publication of an investigation update for their ongoing look at the multi-day fire and toxic chemical release at the Bio-Lab facility in Conyers, GA. Initial news reports had indicated that the initiating event was a roof fire, but the announcement paints an entirely different picture, reporting that:

“The CSB’s update outlines the events surrounding the massive blaze. On September 29, 2024, at 5:00 a.m., a Bio-Lab employee on fire watch in the Plant 12 storage warehouse heard what was reported as a popping sound, which they attributed to wet product. There were no visible flames at that time. After an unsuccessful attempt to isolate the reacting product, the employee called the only other Bio-Lab employee on-site.  At approximately 5:10 a.m., the employee called 9-1-1 due to the large hazardous plumes of toxic vapors inside the building. By 6:30 a.m., flames became visible above the area of the chemical reaction and were quickly extinguished in less than two hours.”

The investigation update notes that:

“Bio-Lab leadership informed the CSB that the facility had established a permanent fire watchc two or three months prior to the incident after detecting strong odors from oxidizers in two storage buildings, one of which was Plant 12. This precaution was taken to mitigate any potential product decomposition events. At the time of the initial incident, two Bio-Lab employees were present on-site to carry out fire watch duties. Their responsibilities included identifying and managing hazards, detecting early signs of product decomposition or fire hazards, notifying site leadership of any observed leaks or other water intrusions, and contacting the third-party sprinkler company if a sprinkler head was leaking.”

This would seem to indicate that Bio-Lab had been having water leak problems leading to isolated decomposition reactions. It will be interesting to see how the final report deals with this.

The update concludes with a list of issues that the investigators are still looking at:

• The cause of the material decomposition, off-gassing, and fire

• Storage and handling of oxidizers and their compatibility

• Best practices for responding to emergencies involving bulk solid oxidizer chemical reactions and decompositions

• Regulatory and Industry guidance on fire protection systems for bulk solid oxidizers

Chemical Incident Reporting – Week of 11-16-24

NOTE: See here for series background.

Weslaco, TX – 11-15-24

Local News Report: Here, here, and here.

There was a chlorine dioxide leak at a water treatment facility. No injuries have been reported.

Not CSB reportable.

I reported on a 2015 incident at this facility. Apparently, the facility has changed their chlorine source from sodium hypochlorite to chlorine dioxide.

Review – Public ICS Disclosures – Week of 11-16-24

This week we have 21 vendor disclosures from Dassault Systems, HPE, Palo Alto Networks (2), Philips (2), QNAP (8), Sick, WAGO, Westermo (2), Wireshark (2), and Zyxel. There are also seven vendor updates from FortiGuard, Mitsubishi, Moxa (4), and VMware. We also have three researcher reports for vulnerabilities in products from MC Technologies (2) and Mongoose Web Server Library. Finally, we have three exploits for products from Korenix, Palo Alto Networks, and Siemens.

Advisories

Dassault Systems Advisory - Dassault Systems published an advisory that describes two vulnerabilities in their eDrawings product.

HPE Advisory - HPE published an advisory that describes an improper handling of exceptional conditions vulnerability in their NonStop DISK UTIL.

Palo Alto Networks Advisory #1 - Palo Alto Networks published an advisory that describes an OS command injection vulnerability {listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog} in their PAN-OS products.

Palo Alto Networks Advisory #2 - Palo Alto Networks published an advisory that describes a missing authentication for critical function vulnerability {listed in CISA’s KEV catalog} in their PAN-OS products.

Philips Advisory #1 - Philips published an advisory that discusses an argument injection vulnerability reported by Laravel.

Philips Advisory #2 - Philips published an advisory that discusses an improper authentication vulnerability {listed in CISA’s KEV catalog} reported by Microsoft in their Windows Scheduler.

QNAP Advisory #1 - QNAP published an advisory that describes four vulnerabilities in their Notes Station 3.

QNAP Advisory #2 - QNAP published an advisory that discusses three vulnerabilities in their QTS and QTS Hero products.

QNAP Advisory #3 - QNAP published an advisory that describes four cross-site scripting vulnerabilities in their Photo Station products.

QNAP Advisory #4 - QNAP published an advisory that describes an exposure of sensitive information to unauthorized actor vulnerability in their AI Core product.

QNAP Advisory #5 - QNAP published an advisory that describes a link following vulnerability in their QuLog Center product.

QNAP Advisory #6 - QNAP published an advisory that describes 15 vulnerabilities in their QTS and QuTS hero products.

QNAP Advisory #7 - QNAP published an advisory that describes two OS command injection vulnerabilities in their QuRouter product.

QNAP Advisory #8 - QNAP published an advisory that describes an authorization bypass through user controlled key vulnerability in their Media Streaming Add-on.

Sick Advisory - Sick published an advisory that describes an execution with unnecessary privileges vulnerability in their  Incoming Goods Suite.

WAGO Advisory - CERT-VDE published an advisory that describes eight vulnerabilities in the firmware of multiple WAGO products.

Westermo Advisory #1 - Westermo published an advisory that discusses an out-of-bounds write vulnerability (with publicly available exploit) in their WeOS.

Westermo Advisory #2 - Westermo published an advisory that discusses the Blast-Radius vulnerabilities in their WeOS products

Wireshark Advisory #1 - Wireshark published an advisory that describes an ECMP dissector crash vulnerability.

Wireshark Advisory #2 - Wireshark published an advisory that describes an FiveCo RAP dissector infinite loop vulnerability.

Zyxel Advisory - Zyxel published an advisory that discusses recent attempts by threat actors to target Zyxel firewalls through previously disclosed vulnerabilities.

Updates

FortiGuard Update #1 - FortiGuard published an update for their CONTINUATION Frames advisory that was originally published on May 14^th, 2024.

FortiGuard Update #2 - FortiGuard published an update for their regreSSHion advisory that was originally published on July 9^th, 2024, and most recently updated on November 15^th, 2024.

Mitsubishi Update - Mitsubishi published an update for their Ethernet port advisory that was originally published on November 30^th, 2021, and most recently updated on November 9^th, 2023.

Moxa Update #1 - Moxa published an update for their Ethernet Switches advisory that was originally published on November 1^st, 2024.

Moxa Update #2 - Moxa published an update for their MDS-G4028-L3 Series advisory that was originally published on November 4^th, 2024.

Moxa Update #3 - Moxa published an update for their Cellular Routers advisory that was originally published on October 14^th, 2024, and most recently updated on October 25^th, 2024.

Moxa Update #4 - Moxa published an update for their SSLv2 Vulnerabilities advisory that was originally published on March 31^st, 2016.

VMware Update - VMware published an update for their vCenter Server advisory that was originally published on September 17^th, 2024, and most recently updated on October 21^st, 2024.

Researcher Reports

MC Technologies Reports - Cisco Talos published two reports covering four OS command injection vulnerabilities in the MC Technologies MC LR Router web interface.

Mongoose Web Server Report - Nozomi Networks published a report describing ten vulnerabilities in the Mongoose Web Server Library.

Exploits

Korenix Exploit - St. Pölten UAS published an exploit for a path traversal vulnerability in the Korenix JetPort 5601.

Palo Alto Networks Exploit - Sachinart published an exploit for a missing authentication for critical function vulnerability in the Palo Alto Networks PAN-OS product.

Siemens Energy Exploit - SEC Consult published an exploit for four vulnerabilities in the Siemens Energy Omnivise T3000.

 

For more information on these disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-3cc - subscription required.

Review - Siemens Publishes Out-of-Zone Advisory – 11-22-24

Today Siemens published a control system security advisory outside of their normal Cyber Tuesday (November 12^th this month) tranche of advisories. This is the third out-of-zone advisory this month.

Siemens Advisory - Siemens published an advisory that discusses four vulnerabilities (two listed in CISA’s KEV catalog) in the Palo Alto Networks Virtual NGFW on Siemens RUGGEDCOM APE1808 Devices.

 

For more information on this advisory, including links to PAN advisories and a DTRH look at a similar Siemens advisory – see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/siemens-publishes-out-of-zone-advisory-e12 - subscription required. 

Transportation Chemical Incidents – Week of 10-19-24

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 455 (416 highway, 33 air, 6 rail, 0 water)

• Serious incidents – 2 (2 Bulk release, 0 evacuation, 0 injury, 0 death, 0 major artery closed, 1 fire/explosion, 42 no release)

• Largest container involved – 33,630-gal DOT 112J340W Railcar {Petroleum Gases, Liquefied Or Liquefied Petroleum Gas} A-end liquid valve opened, and secondary closure plug not tool tight.

• Largest amount spilled – 200-gal Plastic IBC { Flammable Liquids, N.O.S.} Load shift.

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Acetic Acid, Glacial - A clear colorless liquid with a strong odor of vinegar. Flash point 104°F. Density 8.8 lb / gal. Corrosive to metals and tissue. Used to make other chemicals, as a food additive, and in petroleum production. Water soluble. (Source: CameoChemicals.NOAA.gov).

 

CG Sends Maritime Cybersecurity Final Rule to OMB

Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the Coast Guard on “Cybersecurity in the Marine Transportation System”. The notice of proposed rulemaking (NPRM) was published [removed from paywall] on February 22^nd, 2024.

According to the 2024 Spring Unified Agenda entry for this rulemaking:

“The Coast Guard has published a proposed rule to update its maritime security regulations by adding regulations specifically focused on establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations.  This proposed rulemaking is part of an ongoing effort to address emerging cybersecurity risks and threats to maritime security by including additional security requirements to safeguard the marine transportation system.”

Bills Introduced – 11-21-24

 

Yesterday, with both the House and Senate in lame duck session, there were 68 bills introduced. One of those bills will (if time remaining in session permits) receive additional coverage in this blog:

HR 10209 To amend the Cybersecurity Enhancement Act of 2014 to make improvements to the Federal Cyber Scholarship for Service Program, and for other purposes. Connolly, Gerald E. [Rep.-D-VA-11]

Short Takes – 11-21-24

Ukraine says Russia launched an intercontinental missile in an attack for the first time in the war. APNews.com article. Pull quote: “While the range of an ICBM would seem excessive for use against Ukraine, such missiles are designed to carry nuclear warheads, and the use of one would serve as a chilling reminder of Russia’s nuclear capability and a powerful message of potential escalation.”

CISA Director Jen Easterly to depart on Inauguration Day. NextGov.com article. Pull quote: “Ohio Secretary of State Frank LaRose is being considered to lead the agency after Easterly leaves, Politico reported last week, citing four people who have spoken to those in his orbit.” Also points out that the last-administration’s political-appointees generally leave on inauguration day.

NSA Director Wants Industry to Disclose Details of Telecom Hacks. Bloomberg.com article. Pull quote: “Two cybersecurity experts who requested anonymity to speak freely have privately complained about the lack of information shared that could otherwise help them and others understand, find and tackle the hacks.”

Whooping cough cases have quintupled. These states have it worst. TheHill.com article. Pull quote: “Experts believe the 2024 surge in cases may be in part because of missed vaccinations during the COVID-19 pandemic. Widespread masking in 2020 and 2021 also helped prevent spreading of the bacteria that causes pertussis. Now, the disease is back with a vengeance, and we’re seeing more cases than we did in 2019.”

Scientists identify previously unknown compound in drinking water. TheHill.com article. Pull quote: “The mystery compound is called “chloronitramide anion,” which forms from the decomposition of inorganic chloramines — disinfectants used to safeguard people from diseases like typhoid and cholera, the researchers found in a study, published Thursday in Science.”

Review – 7 Advisories Published – 11-21-24

Today, CISA’s NCCIC-ICS published seven control system security advisories for products from mySCADA, Schneider (4), CODESYS, and Carrier.

Advisories

mySCADA Advisory - This advisory describes five vulnerabilities in the mySCADA myPRO Manager products.

Schneider Advisory #1 - This advisory describes an uncontrolled resource consumption vulnerability in the Schneider PowerLogic PM5300 series energy meters.

Schneider Advisory #2 - This advisory describes a missing authentication vulnerability in the Schneider EcoStruxure IT Gateway.

Schneider Advisory #3 - This advisory describes an improper input validation vulnerability in the Schneider Modicon M340, MC80, and Momentum Unity M1E products.

CODESYS Advisory - This advisory describes an out-of-bounds read vulnerability in the CODESYS OSCAT Basic Library.

Carrier Advisory - This advisory describes two vulnerabilities in the Carrier (Automated Logic subsidiary) WebCTRL Premium Server.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/7-advisories-published-11-21-24 - subscription required.

CISA Adds 2 VMware Vulnerabilities to KEV – 11-21-24

Yesterday CISA announced the addition of two vulnerabilities in the VMware vCenter Server to their Known Exploited Vulnerabilities (KEV) catalog. The vulnerabilities were previously reported by Broadcom. The vulnerabilities were demonstrated by zbl & srs of team TZL at this years Matrix Cup cybersecurity competition in China.

The two vulnerabilities are:

• Out-of-bounds write - CVE-2024-38812, and

• Improper check for dropped privileges - CVE-2024-38813

CISA has ordered federal agencies using the vCenter Server to apply “mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.” The deadline for achieving this requirement is December 11^th, 2024. 

Review - CSB Updates Seven Recommendation Statuses – 11-18-24

Yesterday the Chemical Safety Board announced the status updates of seven recommendations made during the publication of earlier investigation reports. The decisions were made by the CSB on November 18^th, 2024. The Board closed out six recommendations with an acceptable status and left one recommendation open with a favorable nod to actions taken to date. This week’s action leaves 137 recommendations (out of 1,000) open.

The seven recommendations updated include:

• Wacker Polysilicon Chemical Release - 2021-01-I-TN-R6 - Wacker Polysilicon,

• Didion Milling Company Explosion and Fire - 2017-07-I-WI-R13 - National Fire Protection Association (NFPA),

• Kuraray Pasadena Release and Fire - 2018-03-I-TX-R3 - Kuraray America, Inc,

• Kuraray Pasadena Release and Fire - 2018-03-I-TX-R4 - Kuraray America, Inc,

• Williams Olefins Plant Explosion and Fire - 2013-3-I-LA-R4 - American Petroleum Institute (API),

• Williams Olefins Plant Explosion and Fire - 2013-3-I-LA-R5 - American Petroleum Institute (API), and

• Caribbean Petroleum Refining Tank Explosion and Fire - 2010-02-I-PR-R7 - American Petroleum Institute (API)

 

For more information on the actions taken, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-seven-recommendation - subscription required.

CSB Publishes Investigation Update for Deer Park Refinery Incident – 11-20-24

Yesterday, the Chemical Safety Board announced the publication of an investigation update for the fatal hydrogen sulfide release (discussed here and here) at PEMEX Deer Park Refinery on October 10^th, 2024. The update provides an overview of the facility operation and a timeline for the incident. It also summarizes the areas that the investigators are continuing to look at, including:

• Permit-to-work practices

• Energy isolation procedures

• Contractor management systems

• Emergency preparedness and response systems

• Emergency communication practices

• Hazard analyses and risk assessments

• Maintenance procedures

• Training programs

• Respiratory protection policies and procedures

• Remote isolation capability

It is interesting to note that the update indicates that the hydrogen sulfide release was due to contractors doing permitted-work opened a flange on the wrong piping.

BTW: The CSB is using a cloud platform at Box.com to release this interim report.

Short Takes – 11-20-24

The key moment came 38 minutes after Starship roared off the launch pad. ArsTechnica.com article. Pull quote: “Before going for a full orbital flight, officials needed to confirm Starship could steer itself back into the atmosphere for reentry, ensuring it wouldn't present any risk to the public with an unguided descent over a populated area. After Tuesday, SpaceX can check this off its to-do list.” Lots of interesting program details in the article.

SpaceX Starship Launch Ends With a Dramatic Water Landing. NYTimes.com article. Pull quote: “Though the SpaceX livestream stayed away from political commentary, Mr. Trump’s attendance at the launch signals a growing bond between the president-elect and Mr. Musk.”

Wrangling over whether to punt government funding to Trump heats up. TheHill.com article. Pull quote: ““So, if they’re willing to work on a little bipartisan basis — we know we’re not … the majority. We can get things done, but if they want a partisan bill, then they have to do it on their own, and they’ve shown no ability to do it.””

Every hurricane this season was turbocharged and made more intense than it should have been, study finds. CNN.com article. Pull quote: “Other scientists not involved in the study agreed with the researchers’ overall finding that that human-caused global warming was intensifying storms, but urged caution around the specific increase in wind speeds, particularly with projecting the influence of global warming on future storms.”

Risk Management Under the Toxic Substances Control Act: Certain Per- and Polyfluoroalkyl Substances; Extension of Comment Period. Federal Register EPA comment extension. Summary: “The Environmental Protection Agency (EPA) is extending the comment period for the notice that published in the Federal Register on September 30, 2024, seeking public comment on the manufacture of certain per- and polyfluoroalkyl substances (PFAS), including perfluorooctanoic acid (PFOA), perfluorononanoic acid (PFNA), and perfluorodecanoic acid (PFDA), during the fluorination of high-density polyethylene (HDPE) and other plastic containers to inform regulations as appropriate under the Toxic Substances Control Act (TSCA). That notice established a public comment period that is scheduled to end on November 29, 2024. This document extends that comment period for 31 days to December 30, 2024. EPA received a request to extend the comment period from an interested stakeholder who requested additional time to collect information relating to EPA's notice and develop thoughtful responses to the issues raised in EPA's notice. EPA believes it is appropriate to extend the comment period in order to give stakeholders including the requester additional time to identify and gather information related to the issues identified in EPA's notice and to prepare comprehensive comments.”

300 Drinking Water Systems in US Exposed to Disruptive, Damaging Hacker Attacks. SecurityWeek.com article. Pull quote: ““Moreover, we were unable to find documented policies and procedures related to the EPA’s coordination with the Cybersecurity and Infrastructure Security Agency and other federal and state authorities involved in sector-specific emergency response, security plans, metrics, and mitigation strategies,” OIG notes.”

Review – Public ICS Disclosures – Week of 11-9-24 – Part 3

A delayed completion of my review of last weeks control system cybersecurity disclosures. For Part 3 we have 28 vendor updates from Broadcom (4), FortiGuard (2), HPE (6), Palo Alto Networks, Schneider (2), and Siemens (13).

Updates

Broadcom Update #1 - Broadcom published an update for their Brocade Fabric OS advisory that was originally published on September 26^th, 2024.

Broadcom Update #2 - Broadcom published an update for their Brocade SANnav advisory that was originally published on October 14^th, 2024.

Broadcom Update #3 - Broadcom published an update for their Oracle Critical Patch advisory that was originally published on November 2^nd, 2024.

Broadcom Update #4 - Broadcom published an update for their Azul Zulu Java advisory that was originally published on November 2^nd, 2024.

FortiGuard Update #1 - FortiGuard published an advisory for their regreSSHion vulnerability advisory that was originally published on July 9^th, 2024, and most recently updated on October 16^th, 2024.

FortiGuard Update #2 - FortiGuard published an advisory for their missing authentication in fgfmsd advisory that was originally published on October 23^rd, 2024, and most recently updated on November 7^th, 2024.

HPE Update #1 - HPE published an update for their ProLiant DL/ML/XL, Alletra, Synergy, and Edgeline Servers advisory that was originally published on September 12^th, 2024.

HPE Update #2 - HPE published an update for their ProLiant DL/ML/XL, Alletra, Synergy, and Edgeline Servers advisory that was originally published on September 12^th, 2024.

HPE Update #3 - HPE published an update for their StoreEasy Servers advisory that was originally published on September 19^th, 2024.

HPE Update #4 - HPE published an update for their StoreEasy Servers advisory that was originally published on September 13^th, 2024.

HPE Update #5 - HPE published an update for their StoreEasy Servers advisory that was originally published on September 13^th, 2024.

HPE Updated #6 - HPE published an update for their ProLiant DL/ML/XL, Alletra, Edgeline, MicroServer and Synergy Servers advisory that was originally published on September 16^th, 2024, and most recently updated on September 25^th, 2024.

Palo Alto Networks Advisory - Palo Alto Networks published an update for their Management Web Interface advisory that was originally published on November 8^th, 2024, and most recently updated on November 10^th, 2024.

Schneider Update #1 - Schneider published an update for their PowerLogic PM5500 advisory that was originally published on June 8^th, 2021.

Schneider Update #2 - Schneider published an update for their BadAlloc advisory that was originally published on November 9^th, 2021, and most recently updated on September 10^th, 2024.

Siemens Update #1 - Siemens published an update for their Industrial Products advisory that was originally published on May 14^th, 2024, and most recently updated on October 8^th, 2024.

Siemens Update #2 - Siemens published an update for their n SIMATIC WinCC advisory that was originally published on July 9^th, 2024, and most recently updated on September 10^th, 2024.

Siemens Update #3 - Siemens published an update for their SIMATIC S7-1500 advisory that was originally published on October 8^th, 2024.

Siemens Update #4 - Siemens published an update for their RADIUS Protocol advisory that was originally published on July 9^th, 2024, and most recently updated on July 22^nd, 2024.

Siemens Update #5 - Siemens published an update for their Socket.IO advisory that was originally published on September 10^th, 2024.

Siemens Update #6 - Siemens published an update for their SIMATIC SCADA advisory that was originally published on September 10^th, 2024, and most recently updated on October 8^th, 2024.

Siemens Update #7 - Siemens published an update for their Profinet Devices advisory that was originally published on July 13^th, 2021, and most recently updated on June 11^th, 2024.

Siemens Update #8 - Siemens published an update for their l GNU/Linux subsystem advisory that was originally published on December 12^th, 2023, and most recently updated on October 8^th, 2024.

Siemens Update #9 - Siemens published an update for their Palo Alto Networks advisory that was originally published on July 9^th, 2024, and most recently updated on October 8^th, 2024.

Siemens Update #10 - Siemens published an update for their GNU/Linux subsystem advisory that was originally published on April 9^th, 2024, and most recently updated on July 9^th, 2024.

Siemens Update #11 - Siemens published an update for their Mendix Runtime advisory that was originally published on September 10^th, 2024, and most recently updated on October 10^th, 2024.

Siemens Update #12 - Siemens published an update for their SIMATIC S7-1500 CPUs advisory that was originally published on October 8^th, 2024.

Siemens Update #13 - Siemens published an update for their User Management Component advisory that was originally published on September 10^th, 2024, and most recently updated on October 8^th, 2024.

 

For more information on these updates, including brief description of the recent changes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-db2 - subscription required.