Review – EPA Publishes Hazardous Substance Facility Response Plans ANPRM

Today the EPA published an advanced notice of proposed rulemaking in the Federal Register (91 FR 7415-7420) on: “Clean Water Act Hazardous Substance Facility Response Plans; Amendment Reconsideration”. This rulemaking seeks feedback on potential amendments to address implementation challenges and clarify requirements from the 2024 final rule.

Background Information

The preamble to this ANPRM provides a detailed discussion about the provisions of the 2024 rulemaking. It then goes on to discuss the implementation issues that have arisen since that final rule was put into place. These include issues related to facility applicability and program implementation.

Public Comments

The EPA is soliciting public comments on this ANPRM. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # EPA-HQ-OLEM-2025-1707). Comments should be submitted by March 20^th, 2026.

 

For more information about this proposed rulemaking, including a look at the questions the EPA is providing for consideration, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/epa-publishes-hazardous-substance - subscription required.

NRC Sends Modernizing Security for Nuclear Materials NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking from the Nuclear Regulatory Commission (NRC) on “Modernizing Requirements Relating to Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material [NRC-2025-1238]”. This rulemaking was not listed in the Spring 2025 Unified Agenda.

The rulemaking would appear to be targeting amendments to 10 USC Part 37, Physical protection of category 1 and category 2 quantities of radioactive material. This Part was included as one of the recent regulatory revisions published on December 3^rd, 2025, where the NRC placed portions of regulations under a new sunset provision (in this case sunsetting on January 8^th, 2027), so this rulemaking should also serve as the first 5 year extension of that sunset.

According to an NRC memo on FY 2026 regulatory priorities:

“This initiative aims to modernize the NRC's regulations by removing unnecessary requirements relating to physical protection and security of category 1 and category 2 quantities of radioactive material, while maintaining safety and security. The NRC anticipates the proposed rule to be published in March 2026.”

According to that memo, the listed regulatory efforts (including this rulemaking) are being proposed in response to EO 14300, Ordering the Reform of the Nuclear Regulatory Commission. It also notes that the proposed rulemakings “are deregulatory and are expected to result in cost savings to both NRC and Industry stakeholders”.

This rulemaking is generally outside of the scope of this blog, but it deserves mention as it deals with chemical security in the most extreme case.

Review – 4 Advisories Published – 2-17-26

Today CISA published four control system security advisories for products from Honeywell, GE Vernova, Delta Electronics, and Siemens.

Advisories

Honeywell Advisory - This advisory describes a missing authentication for critical function vulnerability in the Honeywell CCTV Products.

GE Advisory - This advisory describes two vulnerabilities in the Vernova Enervista UR Setup tool.

Delta Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Delta ASDA-Soft configuration software.

NOTE: I briefly discussed this vulnerability on February 7^th, 2026.

Siemens Advisory - This advisory that describes six vulnerabilities in their Simcenter Femap and Nastran products.

NOTE: I briefly discussed these vulnerabilities on February 14^th, 2026.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-2-17-26 - subscription required.

Review – HR 7257 Introduced – State Energy Plans

Last month Rep Latta (R,OH) introduced HR 7257, the Securing Community Upgrades for a Resilient (SECURE) Grid Act. The bill would amend 42 USC 6326 to require States to include local distribution systems in their State Energy Security Plans described in that section. No new funding is authorized by this legislation.

The bill is similar to HR 9083 that was introduced by Latta in July 2024. No action was taken on that bill in the 118^th Congress. While similar in intent, HR 7257 is a substantial rewrite. Some of the changes of interest include:

Modifying the proposed definition of the term ‘local distribution systems’ by increasing the maximum voltage from 35 kilovolts to 100 kilovolts,

Removing the proposed language being added to (b)(2)(B) referencing “energy supply disruptions resulting from increased demand on the electric grid, deteriorating assets [emphasis added], and physical and cybersecurity threats”, and

Removing from the proposed language revision in (b)(3) reference to “risks and liabilities posed by human error or mismanagement”.

Moving Forward

Latta and his two cosponsors are members of the House Energy and Commerce Committee to which this bill was assigned for consideration. This means that there could be sufficient influence to see this bill considered in Committee. I see nothing in this bill that would engender any organized opposition. I suspect that there will be some level of bipartisan support for this bill in Committee. Whether that support would be sufficient to see the bill considered in the Full House under the suspension of the rules remains to be seen.

 

For more information on the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7257-introduced-state-energy-plans - subscription required.

Review - HR 7266 Introduced – Utility Cybersecurity Grants

Last month Rep Miller-Meeks (R,IA) introduced HR 7266, the Rural and Municipal Utility Cybersecurity Act. The bill would rewrite 42 USC 18723, the Rural and municipal utility advanced cybersecurity grant and technical assistance program, to update and reauthorize that program. The existing $250 million annual authorization for the program would be extended through 2030.

The existing Rural And Municipal Utility Advances Cybersecurity Grant And Technical Assistance Program was authorized in 2021 by §40124 of the Infrastructure Investment and Jobs Act (PL 117-58, 135 STAT 953). There is no sunset provision in this statute, but the spending authorization is only included through FY 2026.

Moving Forward  

Miller-Meeks, and her two cosponsors, are all members of the House Energy and Commerce Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. I see nothing in the bill that would engender any organized opposition. I suspect that there would be significant bipartisan support for this bill, which should allow for it to be considered by the full House under the suspension of the rules process. That would mean limited debate, no floor amendments, and it would require a super majority for passage.

 

For more details about the provisions of the bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7266-introduced-utility-cybersecurity - subscription required.

Review – HR 6846 Introduced – UAS Threat Assessment

Back in December, Rep Crane (R,AZ) introduced HR 6846, the Detecting and Evaluating Foreign Exploitation of Novel Drones (DEFEND) Act. The bill would amend the Homeland Security Act of 2002 by adding a new section; §324, Annual assessment on terrorism threats to the United States relating to the use of unmanned aircraft systems by covered foreign adversaries, including terrorist organizations. No new funding is authorized by this bill.

I can find no legislation in the 118th Congress that would be similar to HR 6846. To date no congressional action has been taken on this bill.

Moving Forward

Crane and all five of his cosponsors are members of the House Homeland Security Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see this bill considered in Committee. I see nothing in this bill that would engender any organized opposition. I would expect that the bill would receive bipartisan support, and that support should be sufficient to see the bill considered in the full House under the suspension of the rules process.

Commentary

While the bill’s description of the information to be included in the assessment would seem to be comprehensive, it has two serious shortcomings. First, it does not include any consideration of the legal aspects of counter UAS operations that currently restrict State, local, and tribal organizations from effectively identifying, tracking and intercepting covered UAS systems. Second, it effectively ignores any potential efforts (and legal restriction on such efforts) by private sector critical infrastructure organizations to protect themselves.

 

For more information on the provisions of this bill, including suggested language to correct the shortcomings identified above, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-6846-introduced-uas-threat-assessment - subscription required

Review – Public ICS Disclosures – Week of 2-7-26 – Part 2

 For Part 2 we have five additional vendor disclosures from Arista, HPE, Supermicro, WAGO, and Yokogawa. There are ten vendor updates from Broadcom (3), CODESYS (2), HP, HPE, and Schneider (3). We also have three researcher reports for products from Sante, Linksys, and Solax. Finally, we have three exploits for products from FortiGuard, Palo Alto Networks, and SolarWinds.

Advisories

Arista Advisory - Arista published an advisory that describes six vulnerabilities in their Next Generation Firewall.

HPE Advisory - HPE published an advisory that discusses an improper handling of values vulnerability in their ProLiant DL/ML/XD, Synergy, Edgeline, MicroServer.

Supermicro Advisory - Supermicro published an advisory that discusses 11 vulnerabilities in multiple Supermicro products.

WAGO Advisory - CERT-VDE published an advisory that describes four vulnerabilities in the WAGO Industrial-Managed-Switch 0852-XXXX products.

Yokogawa Advisory - Yokogawa published an advisory that describes six vulnerabilities in their Vnet/IP Interface Package.

Updates

Broadcom Update #1 - Broadcom published an update for their Brocade Fabric OS advisory that was originally published on August 1^st, 2023.

Broadcom Update #2 - Broadcom published an update for their Brocade Fabric OS advisory that was originally published on May 17^th, 2017.

Broadcom Update #3 - Broadcom published an update for their rsynd advisory that was originally published on September 13, 2022.

CODESYS Update #1 - CODESYS published an update for their CODESYS Control advisory that was originally published on December 1^st, 2025.

CODESYS Update #2 - CODESYS published an update for their CODESYS Control advisory that was originally published on December 1^st, 2025.

HP Update - HP published an update for their LaserJet advisory that was originally published on November 13^th, 2025, and most recently updated on December 10^th, 2025.

HPE Update - HPE published an update for their Aruba Networking EdgeConnect advisory that was originally published on January 14^th, 2026.

Schneider Update #1 - Schneider published an update for their EcoStruxure Power Operation advisory that was originally published on July 8^th, 2025.

Schneider Update #2 - Schneider published an update for their EcoStruxure Foxboro DCS advisory that was originally published on December 9^th, 2025.

Schneider Update #3 - Schneider published an update for their Uni-Telway Driver advisory that was originally published on February 11^th, 2025, and most recently updated on January 13^th, 2026.

Researcher Reports

Linksys Report - SySS Tech published a report that describes six vulnerabilities (with proof-of-concept code) in the Linksys MR9600 and MX4200 routers.

Sante Report - The Zero Day Initiative published a report that describes a buffer overflow vulnerability in the Sante DICOM Viewer Pro.

Solax Report - SEC Consult published a report that describes three vulnerabilities (with proof-of-concept code) in the Solax Power Pocket WiFi models.

Exploits

FortiGuard Exploit - Peter Gabaldon published an exploit for an exposure of sensitive information to an unauthorized actor vulnerability in the FortiGuard FortiGate product.

Palo Alto Networks Exploit - Indoushka published an exploit for four vulnerabilities in the Palo Alto Networks PAN-OS products.

 

For more information about these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-c98 - subscription required.