Chemical Transportation Incidents – Week of 5-16-26

Reporting Background 

See this post for explanation, with the most recent update here (removed from paywall). 

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency. 

Incidents Summary  

• Number of incidents – 439 (408 highway, 28 air, 3 rail, 0 water) 

• Serious incidents – 5 (3 Bulk release, 0 evacuation, 1 injury, 0 death, 1 major artery closed, 2 fire, 29 no release)  

• Largest container involved – 23,715-gal Railcar {Elevated Temperature Liquid, N.O.S., at or Above 100 C And Below Its Flash Point (Including Molten Metals, Molten Salts, Etc.)} Cracked PVC cap on heating coil. 

• Largest amount spilled – 1,400-gal Plastic IBC {Sodium Hydroxide, Solution} IBC’s damaged in roll-over truck accident. 

• Total amount reported spilled in all incidents – 3098.2-gal 

NOTE: Links above are to Form 5800.1 for the described incidents. 

Most Interesting Chemical: Pyridine: A clear colorless to light yellow liquid with a penetrating nauseating odor. Vapors are heavier than air. Toxic by ingestion and inhalation. Combustion produces toxic oxides of nitrogen. (Source: CameoChemicals.NOAA.gov).  

CISA Adds Splunk Vulnerability to KEV Catalog – 6-18-26

Yesterday, CISA announced that it had added a missing authentication for critical function vulnerability in the Splunk Enterprise product to its Known Exploited Vulnerabilities (KEV) catalog. Splunk previously disclosed the vulnerability on June 10th and provided new versions that mitigated the vulnerability. WatchTowr published a report on the vulnerability that included proof-of concept code last week. 

CISA is directing all federal agencies to mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk guidance and CISA’s “Forensics Triage Requirements”. Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines. CISA has set June 21st, 2026 as a compliance deadline. 

Review – 8 Advisories Published – 6-18-26

Today CISA’s NCCIC-ICS published seven control system security advisories for products from Schneider Electric (2), Mitsubishi Electric (2), Rockwell Automation, AzeoTech, and AVer. They also published a medical device security advisory for products from Apollo Pharmacy. 

Advisories  

Schneider Advisory #1 - This advisory describes an insufficient entropy vulnerability in multiple Schneider product lines. 

Schneider Advisory #2 - This advisory describes a path traversal vulnerability in the Schneider EasyLogic T150 and Saitel DP products. 

Mitsubishi Advisory #1 - This advisory describes an expected behavior violation vulnerability in the Mitsubishi MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP. 

Mitsubishi Advisory #2 - This advisory describes an integer overflow or wraparound vulnerability in the Mitsubishi MELSEC iQ-F Series products. 

Rockwell Advisory - This advisory describes three vulnerabilities in the Rockwell FactoryTalk Historian Site Edition. 

AzeoTech Advisory - This advisory describes a type confusion vulnerability in the AzeoTech DAQFactory product. 

AVer Advisory - This advisory describes a files or directories accessible to external parties vulnerability in the AVer PTC cameras. 

Apollo Advisory - This advisory describes two vulnerabilities in the Apollo Blood Glucose Monitoring System APG-01 BT. 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/8-advisories-published-6-18-26 - subscription required. 

HR 9022 Introduced – FRY 2027 EWR Spending

Last month, Rep Fleischmann (R,TN) introduced HR 9022, the Energy and Water Development and Related Agencies Appropriations Act, 2027. The House Appropriations Committee published their Report on the bill. There is one cybersecurity mention in the bill and 10 discussions in the Report. The Report also contains 14 chemical processing discussions. 

HR 9022 is similar to HR 4553, the Energy and Water Development and Related Agencies Appropriations Act, 2026, that was introduced by Fleischmann in July of 2025. The Committee Report was published. That bill passed in the House in September by a near party-line vote of 214 to 213. No action was taken on the bill in the Senate. The EWR spending was eventually included in HR 6938, the Commerce, Justice, Science; Energy and Water Development; and Interior and Environment Appropriations Act, 2026, minibus. 

Moving Forward  

The House Rules Committee has a rule hearing scheduled for June 23, 2023. HR 9022 is one of the four bills currently scheduled for inclusion in the rule. To date, 123 potential amendments have been submitted to the Committee. Three of those amendments deal with DOE’s Cybersecurity, Energy Security, And Emergency Response (CESER) funding. 

For more information on the provisions of this bill, or discussions in the Committee Report, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-9022-introduced-fry-2027-ewr-spending - subscription required.