Wednesday, March 27, 2024

Review - HR 7447 Introduced – Election System Pentests

Last month, Rep Spanberger (D,VA) introduced HR 7447, the Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing (SECURE IT) Act. The bill would amend the Help America Vote Act of 2002, by adding to the existing election system certification system a requirement to conduct 3rd party penetration testing of such systems. It would also establish a voluntary vulnerability disclosure program. No new funding is authorized by the legislation.

Moving Forward

Neither Spanberger nor her two cosponsors {Rep Deluzio (D,PA) and Rep Valadao (R,CA)} are members of the House Administration Committee to which this bill was assigned for primary consideration, nor the House Science, Space, and Technology Committee to which the bill was assigned for secondary consideration. This means that there is practically no chance that the bill will be considered by either committee. I see nothing in the bill that would engender any organized opposition. I suspect that it would receive some level of bipartisan support were it considered.

Commentary

While the term ‘penetration testing’ is used in the legislation, it is never defined. I would suggest using the definition of that term found in NIST 800-95 (pg C-3):

“A method of testing where testers target individual binary components or the application as a whole to determine whether intra or intercomponent vulnerabilities can be exploited to compromise the application, its data, or its environment resources.”

 

For more details about the provisions of this legislation, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7447-introduced - subscription required.

Tuesday, March 26, 2024

Short Takes – 3-26-24

NY Republican says House could ‘end up having a Speaker Hakeem Jeffries’ as GOP majority narrows. TheHill.com article. Pull quote: “Former Rep. Brian Higgins’ (D-N.Y.) seat is also vacant and will be filled by a special election on April 30. With that seat likely going to a Democrat, the GOP could be left with just a two-seat margin during the month of May.”

Bird flu detected in milk from dairy cows in Texas and Kansas. WashingtonPost.com article. Pull quote: “The infections among cattle pose minimal risk to human food safety or milk supply and prices, officials said. Milk from sick cattle is being diverted or destroyed. Pasteurization — a heating treatment that kills pathogens — is required for milk involved in interstate commerce, greatly reducing the possibility that infected milk enters the food supply, they added.”

National Maritime Security Advisory Committee; Vacancies. Federal Register CG NMSAC notice. Summary: “The U.S. Coast Guard is accepting applications to fill seven vacancies on the National Maritime Security Advisory Committee (Committee). This Committee advises the Secretary of Homeland Security, via the Commandant of the U.S. Coast Guard on matters relating to national maritime security, including on enhancing the sharing of information related to cybersecurity risks that may cause a transportation security incident, between relevant Federal agencies and State, local, and tribal governments; relevant public safety and emergency response agencies; relevant law enforcement and security organizations; maritime industry; port owners and operators; and terminal owners and operators.” Applications to be submitted by May 28th, 2024.

2024 hurricane season conditions 'concerning,' hurricane expert says. WRAL.com article. Pull quote: “Brennan said while NOAA can’t release an official hurricane season forecast yet, the National Hurricane Center is integrating new tools to measure hurricane strength, including a new, unmanned aircraft.”

Starliner’s first commander: Don’t expect perfection on crew test flight. ArsTechnica.com article. Pull quote: “"The expectation from the media should not be perfection," Wilmore said. "This is a test flight. Flying and operating in space is hard. It’s really hard, and we’re going to find some stuff. That’s expected. It’s the first flight where we are integrating the full capabilities of this spacecraft."”

Review - EPA Publishes TSCA Health Data Request NPRM – 3-26-24

Today, the Environmental Protection Agency (EPA) published a notice of proposed rulemaking in the Federal Register (89 FR 20918-20924) on “Certain Existing Chemicals; Request To Submit Unpublished Health and Safety Data Under the Toxic Substances Control Act (TSCA)”. The NPRM would amend 40 CFR 716.21(a), by adding a new paragraph (11) containing 16 new chemicals that would be subject to the health and safety data reporting requirements of §716.

The new chemicals include:

4,4-Methylene bis(2-chloraniline) (CASRN 101–14–4),

4-tert-octylphenol(4-(1,1,3,3-Tetramethylbutyl)-phenol) (CASRN140–66–9),

Acetaldehyde (CASRN75–07–0),

Acrylonitrile (CASRN 107–13–1),

Benzenamine (CASRN 62–53–3),-

Benzene (CASRN 71–43–2),

Bisphenol A (CASRN 80–05–7);

Ethylbenzene (CASRN 100–41–4),

Naphthalene (CASRN 91–20–3),

Vinyl Chloride (CASRN 75–01–4),

Styrene (CASRN 100–42–5),

Tribomomethane (Bromoform) (CASRN 75–25–2),

Triglycidyl isocyanurate; (CASRN 2451–62–9),

Hydrogen fluoride (CARN 7664–39–3),

N-(1,3-Dimethylbutyl)-N′-phenyl-p-phenylenediamine (6PPD) (CASRN 793–24–8), and

2-anilino-5-[(4-methylpentan-2-yl) amino]cyclohexa-2,5-diene-1,4-dione (6PPD-quinone) (CASRN 2754428–18–5).

Public Comments

The EPA is soliciting public comments on the proposed rule. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket No EPA-HQ-OPPT-2023-0360). Comments should be submitted by May 28th, 2024.

 

For more details about the provisions of this NPRM, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/epa-publishes-tsca-health-data-request - subscription required.

Review – 4 Advisories Published – 3-26-24

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Rockwell Automation (3) and AutomationDirect.

Advisories

Rockwell Advisory #1 - This advisory describes a cross-site scripting vulnerability in the Rockwell FactoryTalk View ME HMI software application.

Rockwell Advisory #2 - This advisory describes six vulnerabilities in the Rockwell Arena Simulation Software.

Rockwell Advisory #3 - This advisory describes three vulnerabilities in the Rockwell PowerFlex 527 adjustable frequency AC drives.

AutomationDirect Advisory - This advisory describes three vulnerabilities in the AutomationDirect C-MORE EA9 HMI.

 

For more information about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-3-26-24 - subscription required.

Review - Siemens Publishes Out-of-Band Advisory – 3-26-24

Today, Siemens published an out-of-band advisory for a missing write protection for parametric data values vulnerability in PROFINET products.

For more information about this newly reported vulnerability, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/siemens-publishes-out-of-band-advisory - subscription required.

Monday, March 25, 2024

Short Takes – 3-25-24

Water Utility Cybersecurity, EPA & CISA, and You. SCADAMag.Infracritical.com article. Another important piece of cybersecurity commentary by Jake Brodsky. Pull quote: “In addition, most small water utilities are well-water, not surface water. Well water quality is very consistent and does not usually change much. Surface water utilities, such as from a river or a lake can change more often, but even so, it rarely involves more than a couple changes per shift. Most of the automated systems were run manually just 10 years ago. We automate them to improve consistency and perhaps save chemicals by slowly adjusting dosages as needed over a relatively narrow range.”

Geomagnetic storm from a solar flare could disrupt radio communications and create a striking aurora.  Pull quote: “Satellite operators might have trouble tracking their spacecraft, and power grids could also see some "induced current" in their lines, though nothing they can't handle, he said.”

Cybersecurity Labeling for Internet of Things. Federal Register FCC further notice of proposed rulemaking (FNPRM). Pull quote: “In this FNPRM, we seek comment on additional declarations intended to provide consumers with assurances that the products bearing the FCC IoT Label do not contain hidden vulnerabilities from high-risk countries, that the data collected by the products does not sit within or transit high-risk countries, and that the products cannot be remotely controlled by servers located within high-risk countries. Specifically, we seek comment on whether we should require manufacturers to disclose to the Commission whether firmware and/or software were developed and manufactured in a “high-risk country,” as well as where firmware and software updates will be developed and deployed from. We also seek comment on whether to require manufacturers to disclose to consumers in the registry whether firmware and/or software were developed and manufactured in a “high-risk country,” as well as where firmware and software updates will be developed and deployed from.” Comments due April 24th, 2024.

US must establish independent military cyber service to fix ‘alarming’ problems — report. DefenseScoop.com article. Pull quote: “But it [the report] did recommend placing it within the Department of the Army, with Cybercom continuing to be the force employer. Montgomery believes the Army has done the best in cyber, relative to the other services, placing cyber in the hands of general officers. Additionally, the other military departments already have subordinate forces: the Space Force under the Department of the Air Force and the Marine Corps under the Department of the Navy.”

Chinese Tanker Hit with Houthi Missile in the Red Sea. USNI.org article. Pull quote: “The ship is owned by a Chinese company, according to the release. The Houthis previously said they would not attack any Chinese ships. It is possible it was a case of old information, as the South China Morning Post reported that the ship’s registered owner changed in February 2024.”

China launches Queqiao-2 relay satellite to support moon missions. SpaceNews.com article. Pull quote: “The spacecraft will enter a highly elliptical lunar orbit inclined by 55 degrees once it reaches the moon. The orbit is specially designed to support China’s Chang’e-6 lunar far side sample return mission, due to launch in May. The far side of the moon never faces the Earth, as the planet’s gravity has slowed the rotation of the moon over time.”

Review - PHMSA Publishes 60-day ICR Notice for Revisions to Gas Pipeline Reporting

Today, DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) published a 60-day ICR revision notice in the Federal Register (89 FR 20751-20755) for “Mitigation of Ruptures on Onshore Gas Transmission and Gathering, Hazardous Liquid, and Carbon Dioxide Pipeline Segments Using Rupture-Mitigation Valves or Alternative Equivalent Technologies and Blending of Hydrogen Gas and Natural Gas Within Gas Pipelines”. According to the notice summary:

“The proposed information collection changes would provide data necessary to demonstrate an alternative approach to the implementation of Recommendation P–11–11 made by the National Transportation Safety Board (NTSB) and allow PHMSA to identify trends related to the blending of hydrogen gas and natural gas within gas pipelines from operator-submitted data.”

Changes are being proposed to the following existing ICRs:

2137–0627, National Registry of Pipeline and LNG Operators,

2137–0635, Incident Reports for Natural Gas Pipeline Operators,

2137–0629, Annual Report for Gas Distribution Operators,

2137–0522, Annual Reports for Gas Pipeline Operators,

2137–0614, Hazardous Liquid Pipeline Operator Annual Reports, and

2137–0596 National Pipeline Mapping Program

The existing and proposed burden estimates are shown below:


Public Comments

PHMSA is soliciting public comments on the proposed changes to these currently approved information collections. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #PHMSA-2022-0085). Comments should be submitted by May 24th, 2024.

Commentary

It is interesting that these changes to reporting requirements are, for the most part, reducing (according to the table above) the annual burden. The problem is that those changes are not what is being reported by the ICR notice. In three cases the discrepancy is due to the fact that I used data from a currently pending ICR revisions for the following ICR’s: 2137-0629, 2137-0522, 2137-0596. There is nothing in the discussion in today’s notice that would indicate that those earlier proposed changes have been rescinded. I have no idea what is going on with 2137– 0614. We will have wait to see the Supporting Document that PHMSA provides to OIRA after the 30-day ICR is published.

For more details about the changes being proposed by PHMSA, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/phmsa-publishes-60-day-icr-notice - subscription required.

 
/* Use this with templates/template-twocol.html */