This morning the Chemical Safety Board published an
update on their investigation in to two NOx releases at Austin Powder
facilities in Ohio and Tennessee. The update provides a brief description of both
release incidents and outlines the ongoing work being done to determine the
root cause of the releases.
Wednesday, December 17, 2025
CSB Provides Update on the Austin Powder Investigations – 12-17-25
CISA Adds FortiGuard Vulnerability to KEV Catalog – 12-16-25
Yesterday CISA announced that they had added an improper verification of cryptographic signature vulnerability in multiple FortiGuard products to their Known Exploited Vulnerabilities (KEV) catalog. FortiGuard previously disclosed the vulnerability along with mitigation measures and new versions that fixed the vulnerability. Three days later Arctic Wolf reported exploits of the vulnerability (along with a related improper verification vulnerability that is not yet been added to the KEV catalog) in the wild.
CISA had directed federal agencies using the affected
FortiGuard products to apply mitigations per vendor instructions, follow
applicable BOD 22-01 guidance for cloud services, or discontinue use of the
product if mitigations are unavailable. A deadline of December 23rd,
2025 has been provided for those actions.
Review – Bills Introduced – 12-15-25
On Monday, with both the House and Senate in session, there were 44 bills introduced. This post is a day late because of a delay in publishing the listing of 25 of the 28 bills introduced in the House on December 15th. One of those bills may receive additional attention in this blog:
S
3481 A bill to expand the authority to use counter-unmanned aircraft system
technologies to State, local, Tribal, and territorial law enforcement and
correctional agencies, and for other purposes. Peters,
Gary C. [Sen.-D-MI]
Tuesday, December 16, 2025
Reader Comment – API & ASME CSB Responses
Yesterday William Sommer, MBA, PE left a comment on LinkedIn on my note about my blog post on the CSB’s video on the Yenkin-Majestic Resin Plant Vapor Cloud Explosion and Fire. He asked:
“I was struck by one of the recommendations for the API and ASME to provide design, construction, alteration guidance for low pressure vessels in flammable or highly hazardous chemical service: Does anyone know status and where to find?”
I have no insight into the status of the development of the design
criteria within the American Petroleum Institute (API) and the American Society
of Mechanical Engineers (ASME). I can, however, provide a little more
information on the CSB’s take on the status of these recommendations; the data
comes from the CSB’s Recommendations Statistics page and the September 23rd,
2025, downloadable spread sheet on that page. Both recommendations were issued
on November 30th, 2023. The table below summarizes the pertinent
data about the two recommendations.
The text of the API recommendation:
“Develop specific design, construction, and alteration guidance for low-pressure process vessels in flammable and other highly hazardous chemicals service not exceeding an internal pressure of 15 psig in API 510 Pressure Vessel Inspection Code, API RP 572 Inspection Practices for Pressure Vessels, and/or other appropriate products. At a minimum, include guidance for: (i) determining and documenting the low-pressure vessel’s design pressure (such as through a data sheet and a nameplate affixed to the vessel); (ii) determining when or if all or parts of the ASME Boiler and Pressure Vessel Code should be applied; (iii) acceptable alternative engineering methods, if applicable; and, (iv) alteration requirements, such as design assessments, inspections, and pressure testing.”
The text of the supporting ASME recommendation:
“Assist API in developing design, construction, and alteration guidance for low-pressure vessels in flammable and other highly hazardous chemicals service not exceeding an internal pressure of 15 psig. If any new design and construction guidance is specifically developed for pressure vessels in flammable and other highly hazardous chemicals service not exceeding an internal pressure of 15 psig, reference the design and construction guidance in the Section VIII, Division 1 of the ASME Boiler and Pressure Vessel Code (BPVC).”
Even with a reasonable degree of consensus on the need for standards changes, it takes some time to develop, write and reach consensus on these sorts of things. It does seem to me that two years is not an unreasonable amount of time to be working on such a standard.
If anyone has any information on if/how progress is being made within API or ASME, please let me know.Review – 4 Advisories and 3 Updates Published – 12-16-25
Today CISA’s NCCIC-ICS published four control system security advisories for products from Mitsubishi Electric, Hitachi Energy, Johnson Controls, and Güralp Systems. They also updated advisories for products from Fuji Electric, Johnson Controls, and Mitsubishi Electric.
Advisories
Mitsubishi Advisory - This advisory
describes a cleartext storage of sensitive information vulnerability in the
Mitsubishi GT Designer3 products.
Hitachi Energy Advisory - This advisory
discusses the BlastRadius-Fail
vulnerability.
NOTE: I briefly
discussed this vulnerability on November 1st, 2025.
Johnson Controls Advisory - This advisory
describes four vulnerabilities in the Johnson Controls PowerG, IQPanel and
IQHub products.
Güralp Advisory - This advisory describes an allocation of resources without limit or throttling vulnerability in the Güralp Fortimus, Minimus, and Certimus product series.
Updates
Fuji Update - This update
provides additional information on the Fuji Monitouch V-SFT-6 advisory that was
originally published on November 4th, 2025.
Johnson Controls Update - This update
provides additional information on the Johnson Controls iSTAR Ultra advisory
that was originally published on August 12th, 2025.
Mitsubishi Update - This update
provides additional information on the Mitsubishi GENESIS advisory that was
originally published on May 20th, 2025, and most recently updated on
August 28th, 2025.
I briefly discussed this update on August 9th, 2025.
For more information on these advisories, including a brief
description of the CISA advisory format change, see my article at CFSN Detailed
Analysis - https://patrickcoyle.substack.com/p/4-advisories-and-3-updates-published
- subscription required.
Review - HR 3435 Introduced – Federal Cyber Workforce Training
Back in May Rep Fallon (R,TX) introduced HR 3435, the Federal Cyber Workforce Training Act of 2025. The bill would require the National Cyber Director to formulate a plan for the establishment of a federal cyber training institute. It does not authorize the actual establishment of the institute, that would require subsequent legislation. The bill specifically does not authorize new spending.
This bill is essentially the same as to HR 9520 that was introduced by Fallon in September 2024. No other action was taken on HR 9520 in the 118th Congress.
Moving Forward
Fallon is a member of the House Oversight and Accountability Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. With new spending being prohibited, I see nothing in this bill that would engender any organized opposition. I suspect that the bill would receive some level of bipartisan support, perhaps enough that it could be considered under the suspension of the rules process.
Commentary
While the proposed institute is not a cybersecurity institute, all cyber work roles should include some level of cybersecurity responsibilities. I think it would be helpful to delineate a responsibility for the institute to establish a minimum level of cybersecurity training for all cyber personnel. To that end, I would like to suggest the insertion of a new §2(b)(2)(C):
“(C) establish a
common skill level cybersecurity curriculum for all entry level positions and a
more advanced cybersecurity training program for personnel transitioning to
mid-career level positions;”
For more details about the provisions of this bill, see my
article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-3435-introduced-federal-cyber
- subscription required.
Short Takes – 12-16-25 – Federal Register Edition
Information Collection: NASA Virtual Launch Guest Watch Party Registration. Federal Register NASA 30-day ICR reinstatement notice. Summary: “The Virtual Guest Program exists to leverage the excitement around launches and milestones to widely disseminate information about Earth and space phenomena through the sharing of information about research on launches, mission objectives, public engagement activities (coloring pages, social media filters) and the like. The program provides registration opportunities for individuals and watch parties so that NASA may provide them the specific information they are interested in receiving and to share a detailed slice of the NASA efforts in carrying out the other portions of the Space Act of 1958. By learning the information from the plans of Watch Party organizers, NASA can best provide appropriate resources and share information about its activities and results.” Comments due January 14th, 2026.
Protecting the Nation's Communications Systems From Cybersecurity Threats. Federal Register FCC order on reconsideration. Summary: “In this document, the Federal Communications Commission (“Commission” or “FCC”) announces that it has reconsidered and rescinded a prior Declaratory Ruling and Notice of Proposed Rulemaking, neither of which had been published in the Federal Register. The Declaratory Ruling misconstrued the Communications Assistance for Law Enforcement Act (CALEA), and the Notice of Proposed Rulemaking was based in part on the Declaratory Ruling's flawed legal analysis and proposed ineffective cybersecurity requirements. This Order follows the FCC's engagement with providers to help strengthen their cybersecurity posture.”
EO 14365 - Ensuring a National Policy Framework for Artificial Intelligence. Federal Register.
EO 14366 - Protecting American Investors from
Foreign-Owned and Politically-Motivated Proxy Advisors. Federal
Register.
Subscribe to:
Comments (Atom)
Posts
