Review – Public ICS Disclosures – Week of 3-21-26 – Part 1

This week was a relatively light disclosure week. We have eleven vendor disclosures from ABB, CODESYS (2), Helmholz, Hitachi (2), HP, HPE, MB Connect, Mitsubishi, and Philips.

 

Advisories

 

ABB Advisory - ABB published an advisory that discusses 25 vulnerabilities in their Ability Camera Connect product.

CODESYS Advisory #1 - CODESYS published an advisory that describes the use of an externally-controlled format string vulnerability in their Control and Runtime Toolkit products.

CODESYS Advisory #2 - CODESYS published an advisory that describes an incorrect resource transfer between spheres vulnerability in their Control runtime system.

Helmholz Advisory - CERT-VDE published an advisory that describes two vulnerabilities in the Helmholz myREX24V2 products.

Hitachi Advisory #1 - Hitachi published an advisory that describes a cross-site scripting vulnerability in their Infrastructure Analytics Advisor and Ops Center Analyzer products.4

Hitachi Advisory #2 - Hitachi published an advisory that describes an open redirect vulnerability in their Ops Center Administrator product.

HP Advisory - HP published an advisory that discusses an out-of-bounds write vulnerability in their consumer notebook PCs.

HPE Advisory - HPE published an advisory that discusses three vulnerabilities (two with publicly available exploits) in their Telco Service Orchestrator product.

MB Connect Advisory - MB Connect published an advisory that describes two vulnerabilities in their mbCONNECT24 products.

Mitsubishi Advisory - Mitsubishi published an advisory that discusses a heap-based buffer overflow vulnerability in multiple Mitsubishi HVAC products.

Philips Advisory - Philips published an advisory that discusses a known Oracle missing authentication for critical function vulnerability.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-4d6 - subscription required

Short Takes – 3-27-26 – Federal Register Edition

Perchloroethylene (PCE) and Carbon Tetrachloride (CTC); Regulation Under the Toxic Substances Control Act (TSCA); Compliance Date Extensions. Federal Register EPA notice of proposed rulemaking. Summary: “The Environmental Protection Agency (EPA or Agency) is proposing to extend certain compliance dates applicable to certain entities subject to the regulation of perchloroethylene (PCE) and carbon tetrachloride (CTC) under the Toxic Substances Control Act (TSCA). EPA is proposing to extend certain Workplace Chemical Protection Program (WCPP) compliance dates for non-federal owners and operators to match the compliance dates for federal agencies and their contractors. For both PCE and CTC, this proposal would extend the compliance date for initial monitoring for inhalation exposure to June 21, 2027, and extend the compliance date to meet the existing chemical exposure limit (ECEL), establish a regulated area, provide any required respiratory personal protective equipment (PPE), and establish a respiratory PPE program to September 20, 2027. For PCE, EPA is also proposing to extend the compliance date for non-federal entities to establish and implement an exposure control plan to December 20, 2027.”

Continuation of the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities. Federal Register Office of the President continuation of national emergency notice. Summary: “These significant malicious cyber-enabled activities continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States. For this reason, the national emergency declared in Executive Order 13694, and with respect to which additional steps were taken in Executive Order 13757, Executive Order 13984, Executive Order 14110 (revoked by Executive Order 14148), Executive Order 14144, and Executive Order 14306, must continue in effect beyond April 1, 2026. Therefore, in accordance with section 202(d) of the National Emergencies Act (50 U.S.C. 1622(d)), I am continuing for 1 year the national emergency declared in Executive Order 13694.”

DOT Technical Assistance PRA. Federal Register DOT/OS 60-day ICR renewal notice.

EO 14397 - Further Continuance of the Federal Emergency Management Agency Review Council. Federal Register.

Review – Bills Introduced – 3-26-26

Yesterday, with both the House and Senate in session and the Senate preparing to leave for their two week Easter holiday, there were 121 bills introduced. One of those bills may receive additional coverage in this blog:

HR 8110 To establish a grant program within the Department of Labor to support the creation, implementation, and expansion of registered apprenticeship programs in cybersecurity. Lee, Susie [Rep.-D-NV-3]

Space Geek Legislation

I would like to mention one bill under my limited Space Geek coverage in this blog:

S 4264 A bill to provide NASA the authority to detect, identify, monitor, and track unmanned aircraft systems, and for other purposes. Peters, Gary C. [Sen.-D-MI]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-3-26-26 - subscription required.

Chemical Transportation Incidents – Week of 2-21-26

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 447 (408 highway, 31 air, 7 rail, 1 water)

• Serious incidents – 4 (3 Bulk release, 1 evacuation, 1 injury, 0 death, 0 major artery closed, 6 fire/explosion, 36 no release)

• Largest container involved – 203,900-gal (?) DOT 117R100W Railcar {Diesel Fuel} Bottom outlet valve leaking.

• Largest amount spilled – 500-gal Tank truck {Gasoline Includes Gasoline Mixed With Ethyl Alcohol, With Not More Than 10% Alcohol} Vent pipe malfunction.

• Total amount reported spilled in all incidents – 2117.9-gal

NOTE: Links above are to Form 5800.1 for the described incidents. Link not available for tank truck incident.

Most Interesting Chemical: Tributylamine: A pale yellow liquid with an ammonia-like odor. Less dense than water. Very irritating to skin, mucous membranes, and eyes. May be toxic by skin absorption. Low toxicity. Used as an inhibitor in hydraulic fluids. (Source: CameoChemicals.NOAA.gov).

OMB Approves NTIA Space Launch Portal ICR

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that that it had approved the initial information collection request from DOC’s National Telecommunications and Information Administration (NTIA) respectfully for “NTIA Space Launch Frequency Coordination Portal” and assigned the OMB Control Number 0660-0057 to that collection. The 60-day ICR notice was published on October 1^st, 2025 and the 30-day ICR notice was published on January 27^th, 2026.

The table below provides the approved initial burden estimate.

The supporting document provided to OIRA explains that:

“The proposed portal will collect the information [currently] submitted via e-mail through an online portal.  This information will be routed through the portal and reviewed by NTIA and other federal agencies.  A dashboard will provide transparency on where the request is in the portal.  This system will replace an outdated e-mail process and expedite processing time.”

OMB Approves EPA Chemical Manufacturing NESHAP Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the EPA on “National Emission Standards for Hazardous Air Pollutants: Chemical Manufacturing Area Source Technology Review”. The final rule was sent to OIRA on February 23^rd, 2026. The notice of proposed rulemaking was published on January 22^nd, 2025. There was a judicial deadline for the publication of this final rule of January 15^th, 2026.

According to the Spring 2025 Unified Agenda entry for this rulemaking:

“This action will address the agency's technology review of the National Emission Standards for Hazardous Air Pollutants (NESHAP) for Chemical Manufacturing Area Sources (CMAS). The CMAS NESHAP, subpart VVVVVV, was promulgated on October 29, 2009, pursuant to section 112(d) of the Clean Air Act (CAA) and established emission limitations and work practice requirements for controlling emissions of hazardous air pollutants (HAP). The NESHAP controls HAP emissions from process vents, storage tanks, equipment leaks, wastewater streams, transfer operations and heat exchange systems. This action addresses the technology review requirements of CAA section 112(d)(6) which require the EPA to review and revise the standards as necessary (taking into account developments in practices, processes and control technologies) no less often than every 8 years.”

This appears to be outside of the normal scope of this blog, but I would expect to announce the publication of the final rule in the appropriate Short Takes post. I would expect publication within the next week of two.

HR 8029 Passed in House – FY 2026 DHS Spending

This afternoon the House considered HR 8029, the Pay Our Homeland Defenders Act, under a closed rule. After an hour and 20 minutes of debate, the House passed the bill by a near party line vote of 218 to 206. Four Democrats and one Independent vote Aye. The bill now goes to the Senate where it will suffer the same problems as HR 7147, the nearly identical bill that was passed in the House on January 22^nd, 2026, but has not been able to gain the 60 votes needed for passage in the Senate.