Thursday, March 28, 2024

Short Takes – 3-28-24

Requests for Comments; Clearance of a Renewed Approval of Information Collection: Unmanned Aircraft Remote Identification Message Elements. Federal Register FAA 30-day ICR renewal notice. Summary: “The collection involves electronic information that is broadcast directly from certain unmanned aircraft, specifically standard remote identification unmanned aircraft and unmanned aircraft equipped with a remote identification broadcast module. The collection of this information in the remote identification message elements is necessary to comply with the FAA's statutory requirement to develop and implement standards for remotely identifying operators and owners of unmanned aircraft. The collection of this information will also provide airspace awareness to enable the FAA, national security agencies, and law enforcement entities to distinguish compliant airspace users from those potentially posing a safety or security risk.” Comment deadline: April 26th, 2024.

Water isn’t normal. ChemistryWorld.com article. Pull quote: “We have worked out innumerable uses (and occasional abuses) of water’s unique properties, but it’s an irony of the universe that one of the most familiar substances in our world is simultaneously such a bizarre chemical outlier. Science shows us that our normal experience is only a tiny slice of reality: we’ve lived our entire lives at the bottom of a gravity well, to the point that it defines our notions of direction – ‘up’ and ‘down’ have no meaning in most of the universe. But thinking of water as the usual sort of liquid is one of our bigger misconceptions.”

HOW DOES TIME WORK ON THE MOON? HackADay.com article. Interesting article, but misses phases of Earth as a lunar time construct. Pull quote: “It’s easy to imagine overlaying local Moon time and a home Earth time zone on a calendar or planning app of some kind. Thus, if you know you’re heading to a given region at Moon midday, local Moon time, you know you’ve got at least 8.125 Earth days of sunlight before you get to the local dark time. Converting between this and the astronaut’s chosen 24-hour home time zone would become a perennial bugbear, but a necessary part of living and working on the Moon.”

Key Bridge Was Also Hit by a Ship in 1980, With Limited Damage. NYTimes.com article (free). Much larger ships provide much larger threat. Pull quote: “Benjamin W. Schafer, a professor of civil and systems engineering at Johns Hopkins University in Baltimore, told Scientific American this week that the accident would most likely hold lessons for protecting bridge support structures from shipping traffic.”

Reestablishment of the Homeland Security Science and Technology Advisory Committee. Federal Register DHS committee charter notice. Summary: “The Secretary of Homeland Security has determined that the reestablishment of the Homeland Security Science and Technology Advisory Committee (HSSTAC) is necessary and in the public interest to support the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) in the performance of its duties.” New charter expires March 3rd, 2026.

Emergency Response Standard. Federal Register OSHA comment extension notice. Summary: “OSHA is extending the period for submitting comments by 45 days to allow stakeholders interested in the NPRM on Emergency Response additional time to review the NPRM and collect information and data necessary for comment.”

Cyber gangs stealing loads from US truckers, double brokering. NewsNationNow.com article. Pull quote: “If a shipper needs a load delivered to a warehouse or store, a scammer intervenes as the middleman and either holds the load for ransom or doesn’t deliver it. It’s significantly impacting the supply chain, trickling down to consumers as they may face price hikes or shortages of essential items such as food, electronics, building supplies and cars.”

Review - EPA Publishes Worst Case Discharge Final Rule

Today the EPA published a final rule in the Federal Register (89 FR 21924-21967) on “Clean Water Act Hazardous Substance Facility Response Plans”. The final rule was approved by OMB’s Office of Information and Regulatory Affairs (OIRA) on February 21st, 2024. The notice of proposed rulemaking was published on March 28th, 2022 (with additional coverage here and here). This rule establishes facility response plan requirements for worst case discharges of Clean Water Act (CWA) hazardous substances for onshore non-transportation-related facilities that could reasonably be expected to cause substantial harm to the environment by discharging a CWA hazardous substance into or on the navigable waters, adjoining shorelines, or exclusive economic zone.

The effective date for the final rule is May 28th, 2024.

 

For more information about this final rule, including a look at the differences between it and it predecessor notice of proposed rulemaking, see my article a CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/epa-publishes-worst-case-discharge-b1f - subscription required.

Wednesday, March 27, 2024

Review - HR 7447 Introduced – Election System Pentests

Last month, Rep Spanberger (D,VA) introduced HR 7447, the Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing (SECURE IT) Act. The bill would amend the Help America Vote Act of 2002, by adding to the existing election system certification system a requirement to conduct 3rd party penetration testing of such systems. It would also establish a voluntary vulnerability disclosure program. No new funding is authorized by the legislation.

Moving Forward

Neither Spanberger nor her two cosponsors {Rep Deluzio (D,PA) and Rep Valadao (R,CA)} are members of the House Administration Committee to which this bill was assigned for primary consideration, nor the House Science, Space, and Technology Committee to which the bill was assigned for secondary consideration. This means that there is practically no chance that the bill will be considered by either committee. I see nothing in the bill that would engender any organized opposition. I suspect that it would receive some level of bipartisan support were it considered.

Commentary

While the term ‘penetration testing’ is used in the legislation, it is never defined. I would suggest using the definition of that term found in NIST 800-95 (pg C-3):

“A method of testing where testers target individual binary components or the application as a whole to determine whether intra or intercomponent vulnerabilities can be exploited to compromise the application, its data, or its environment resources.”

 

For more details about the provisions of this legislation, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7447-introduced - subscription required.

Tuesday, March 26, 2024

Short Takes – 3-26-24

NY Republican says House could ‘end up having a Speaker Hakeem Jeffries’ as GOP majority narrows. TheHill.com article. Pull quote: “Former Rep. Brian Higgins’ (D-N.Y.) seat is also vacant and will be filled by a special election on April 30. With that seat likely going to a Democrat, the GOP could be left with just a two-seat margin during the month of May.”

Bird flu detected in milk from dairy cows in Texas and Kansas. WashingtonPost.com article. Pull quote: “The infections among cattle pose minimal risk to human food safety or milk supply and prices, officials said. Milk from sick cattle is being diverted or destroyed. Pasteurization — a heating treatment that kills pathogens — is required for milk involved in interstate commerce, greatly reducing the possibility that infected milk enters the food supply, they added.”

National Maritime Security Advisory Committee; Vacancies. Federal Register CG NMSAC notice. Summary: “The U.S. Coast Guard is accepting applications to fill seven vacancies on the National Maritime Security Advisory Committee (Committee). This Committee advises the Secretary of Homeland Security, via the Commandant of the U.S. Coast Guard on matters relating to national maritime security, including on enhancing the sharing of information related to cybersecurity risks that may cause a transportation security incident, between relevant Federal agencies and State, local, and tribal governments; relevant public safety and emergency response agencies; relevant law enforcement and security organizations; maritime industry; port owners and operators; and terminal owners and operators.” Applications to be submitted by May 28th, 2024.

2024 hurricane season conditions 'concerning,' hurricane expert says. WRAL.com article. Pull quote: “Brennan said while NOAA can’t release an official hurricane season forecast yet, the National Hurricane Center is integrating new tools to measure hurricane strength, including a new, unmanned aircraft.”

Starliner’s first commander: Don’t expect perfection on crew test flight. ArsTechnica.com article. Pull quote: “"The expectation from the media should not be perfection," Wilmore said. "This is a test flight. Flying and operating in space is hard. It’s really hard, and we’re going to find some stuff. That’s expected. It’s the first flight where we are integrating the full capabilities of this spacecraft."”

Review - EPA Publishes TSCA Health Data Request NPRM – 3-26-24

Today, the Environmental Protection Agency (EPA) published a notice of proposed rulemaking in the Federal Register (89 FR 20918-20924) on “Certain Existing Chemicals; Request To Submit Unpublished Health and Safety Data Under the Toxic Substances Control Act (TSCA)”. The NPRM would amend 40 CFR 716.21(a), by adding a new paragraph (11) containing 16 new chemicals that would be subject to the health and safety data reporting requirements of §716.

The new chemicals include:

4,4-Methylene bis(2-chloraniline) (CASRN 101–14–4),

4-tert-octylphenol(4-(1,1,3,3-Tetramethylbutyl)-phenol) (CASRN140–66–9),

Acetaldehyde (CASRN75–07–0),

Acrylonitrile (CASRN 107–13–1),

Benzenamine (CASRN 62–53–3),-

Benzene (CASRN 71–43–2),

Bisphenol A (CASRN 80–05–7);

Ethylbenzene (CASRN 100–41–4),

Naphthalene (CASRN 91–20–3),

Vinyl Chloride (CASRN 75–01–4),

Styrene (CASRN 100–42–5),

Tribomomethane (Bromoform) (CASRN 75–25–2),

Triglycidyl isocyanurate; (CASRN 2451–62–9),

Hydrogen fluoride (CARN 7664–39–3),

N-(1,3-Dimethylbutyl)-N′-phenyl-p-phenylenediamine (6PPD) (CASRN 793–24–8), and

2-anilino-5-[(4-methylpentan-2-yl) amino]cyclohexa-2,5-diene-1,4-dione (6PPD-quinone) (CASRN 2754428–18–5).

Public Comments

The EPA is soliciting public comments on the proposed rule. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket No EPA-HQ-OPPT-2023-0360). Comments should be submitted by May 28th, 2024.

 

For more details about the provisions of this NPRM, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/epa-publishes-tsca-health-data-request - subscription required.

Review – 4 Advisories Published – 3-26-24

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Rockwell Automation (3) and AutomationDirect.

Advisories

Rockwell Advisory #1 - This advisory describes a cross-site scripting vulnerability in the Rockwell FactoryTalk View ME HMI software application.

Rockwell Advisory #2 - This advisory describes six vulnerabilities in the Rockwell Arena Simulation Software.

Rockwell Advisory #3 - This advisory describes three vulnerabilities in the Rockwell PowerFlex 527 adjustable frequency AC drives.

AutomationDirect Advisory - This advisory describes three vulnerabilities in the AutomationDirect C-MORE EA9 HMI.

 

For more information about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-3-26-24 - subscription required.

Review - Siemens Publishes Out-of-Band Advisory – 3-26-24

Today, Siemens published an out-of-band advisory for a missing write protection for parametric data values vulnerability in PROFINET products.

For more information about this newly reported vulnerability, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/siemens-publishes-out-of-band-advisory - subscription required.

 
/* Use this with templates/template-twocol.html */