Review - Public ICS Disclosures – Week of 6-13-26 – Part 2

For Part 2 we have 11 additional vendor disclosures from Ingecon, Moxa (3), NI, Splunk (2), ThingsBoard, TP-Link, Turck, and Zyxel. Part 3 is coming tomorrow. 

Advisories  

Ingecon Advisory - INCIBE-CERT published an advisory that describes a use of broken or risky cryptographic algorithm vulnerability in the Ingecon EMS Board. 

Moxa Advisory #1 - Moxa published an advisory that describes a missing authentication vulnerability in their Serial Device Servers. 

Moxa Advisory #2 - Moxa published an advisory that describes two vulnerabilities in their Serial Device Servers. The vulnerabilities were reported by Remi ONNO of CS GROUP. 

Moxa Advisory #3 - Moxa published an advisory that describes an improper validation of specified type of input vulnerability in their Serial Device Servers. 

NI Advisory - NI published an advisory that describes seven vulnerabilities in their gRPC Device Server. 

Splunk Advisory #1 - Splunk published an advisory that describes an OS command injection vulnerability in their AI Toolkit. 

Splunk Advisory #2 - Splunk published an advisory that describes an OS command injection vulnerability in their AI Toolkit. 

ThingsBoard Advisory - JP-CERT published an advisory that describes a prototype pollution vulnerability in the ThingsBoard open-source IoT platform. 

TP-Link Advisory - TP-Link published an advisory that describes two OS command injection vulnerabilities in their TL-WR940N wireless router. 

Turck Advisory - CERT-VDE published an advisory that discusses two vulnerabilities (one with a publicly available exploit) in Turck Managed Ethernet Switches. 

Zyxel Advisory - Zyxel published an advisory that describes a stack-based buffer overflow vulnerability in their GS1900 series switches. 

For more information on these disclosures, see my article at CFSN Detailed Analysis - - subscription required. 

Review - HR 7885 Introduced – Cybersecurity Skills Integration

Back in March Rep Thompson (R,PA) introduced HR 7885, the Cybersecurity Skills Integration Act. The bill would require the Department of Education to start a pilot grant program to develop a “postsecondary career and technical education programs that integrate cybersecurity education”. The legislation would authorize $10 million to support the pilot program. 

HR 7885 is essentially identical to HR 6124, the Cybersecurity Skills Integration Act, that was introduced by Thompson in October 2023. No action was taken on that bill in the 118th Congress. 

Moving Forward 

Thompson is a member of the House Education and Labor Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see this bill considered by the Committee. I would expect to see some Republican opposition to the bill because of the $10 million price tag, but that opposition would be offset by Democratic support. I am not sure that it would receive sufficient bipartisan support to be considered in the House under the suspension of the rules process if it were to make it that far. 

Commentary 

This is the first piece of cybersecurity legislation that I have seen where it appears that the crafters of the bill really have a basic understanding of the unique dangers related to attacks on industrial control systems in process industries. In each of the first two parts of the definition of ‘cybersecurity education’ references are made to ‘control systems and operational technology’. It is in the third part of the definition, however, where those potential dangers are really addressed: 

“(C) training to ensure the continuous physical and environmental safety of the operations of critical infrastructure systems.” 

For more information on the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7885-introduced-cybersecurity - subscription required. 

Review – Bills Introduced – 6-17 thru 6-19-26

Congress.gov had some operational issues this week that made it difficult to look at the bills that were introduced on 17th, 18th, and 19th. Those issues appear to be fixed at this point, so this post will look at bills introduced during that period. The Senate was in session on the 17th and 18th, and the House met in pro forma session on the 18th. A total of 117 bills were introduced during this period. One of those bills will receive additional coverage in this blog: 

HR 9338 To amend title 49, United States Code, to improve the safety of pipeline transportation, and for other purposes. Rep. Weber, Randy K. Sr. [R-TX-14] 

For more information on these bills, including legislative history for similar bills in the 118th Congress, as well as a mention in passing of a bill stopping prior authorization requirements for repairs to powered wheelchairs, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-6-17-thru-6-19-26 - subscription required. 

S 4697 – HALO Act and Cybersecurity

Earlier this month, I mentioned-in-passing the introduction of S 4697, a bill to provide for design and safety requirements for autonomous and semi-autonomous weapon systems. I do not normally spend much time following weapons development legislation, but I did read the text of this bill after it was published yesterday. And I am glad that I did, because it contains cybersecurity provisions that deserve a brief discussion here. 

Paragraph 3(d)(2) requires that an autonomous weapon system or semi-autonomous weapon system is designed with system safety, anti-tamper mechanisms, and cybersecurity in accordance with Department instructions and military standards governing cybersecurity and system safety. Those standards are not described further in this bill, nor are they further referenced by statute or regulation. While making it difficult to evaluate what standards are required, it does provide DOD with a certain amount of leeway to select the most appropriate cybersecurity standards for such weapons. 

Later, in subsection 6(e) the legislation addresses the need to periodically test these autonomous and semi-autonomous weapons. It requires DOD to conduct quarterly cyber tests and evaluations to verify that the system is resilient and survivable in contested cyberspace. It is not clear whether that quarterly testing would be done on each deployed weapon system, a statistically significant number of randomly selected systems, or a lab maintained representative system. The first option would be the most expensive and would present additional problems when dealing with currently deployed weapon systems. The second option would conform to standards for quality assurance testing, but that kind of testing is not applicable for systems that are at potential of cyber-attack. The last would be pro forma testing to ensure that there are no design issues that allow system degradation over time. 

The final item of interest here is found in subsection 10(a). That subsection notes that the requirements of this legislation do not apply to autonomous or semi-autonomous cyberspace capabilities. The term ‘cyberspace capabilities’ is not one of the terms defined in §2, but I would expect that they are referring to cyberattacks on computer systems (IT and OT) rather than kinetic attacks that could physically damage structures, equipment or personnel. Interestingly, the definitions of ‘autonomous weapon system’ and ‘semi-autonomous weapon system’ do not differentiate between kinetic and virtual attacks. This really needs additional clarification, especially where such ‘cyberspace capability’ attacks result in kinetic effects because of loss of control in operational systems.