Short Takes – 6-22-26 - Federal Register Edition

EPCRA Hazardous Chemical Inventory Reporting Requirements: Conformity With the 2024 OSHA Hazard Communication Standard. Federal Register EPA final rule. Summary: “The Environmental Protection Agency is conforming the Emergency Planning and Community Right-to-Know Act hazardous chemical inventory reporting regulations to the Occupational Safety and Health Administration's Hazard Communication Standard amendments of 2012 and 2024. The Emergency Planning and Community Right-to-Know Act (EPCRA) and its regulations rely on the Occupational Safety and Health Administration's (OSHA's) Hazard Communication Standard for the definition of a hazardous chemical and for the categories of health and physical hazards that must be reported under the hazardous chemical inventory regulations. This action conforms the terminology used and information that must be reported on the hazardous chemical inventory forms to the Hazard Communication Standard amendments. As a result, this action improves first responder and community safety, reduces discrepancies and confusion, prevents interpretation burdens on facilities when using (Material) Safety Data Sheets to complete annual hazardous chemical inventory reports, and enhances clarity.” 

1,2-Dichloropropane (1,2-DCP); 1,1,2-Trichloroethane (1,1,2-TCA); Trans-1,2-Dichloroethylene (tDCE); 4,4′-(1-Methylethylidene)bis[2, 6-Dibromophenol] (TBBPA); and Ethylene Dibromide (EDB); Draft Hazard and Exposure Assessments; Science Advisory Committee on Chemicals (SACC) Peer Review; Notice of SACC Meeting; Availability of Draft Documents and Request for Comment. Federal Register EPA notice. Summary: “The Environmental Protection Agency (EPA or Agency) is announcing two virtual public meetings of the Science Advisory Committee on Chemicals (SACC). The first is a preparatory meeting scheduled for July 23, 2026. During the meeting, the SACC will consider the scope and clarity of the draft charge questions for the peer review of the draft technical support documents for 1,2-dichloropropane (1,2-DCP), 1,1,2-trichloroethane (1,1,2-TCA), trans-1,2-dichloroethylene (tDCE), 4,4′-(1-Methylethylidene)bis[2, 6-dibromophenol] (TBBPA), and ethylene dibromide (EDB). The second is the virtual SACC peer review meeting which will be held August 3 through 7, 2026, for the SACC to consider the draft technical support documents for 1,2-DCP, 1,1,2-TCA, tDCE, TBBPA, and EDB, and public comments on those materials. EPA is also announcing the availability of and soliciting public comment on the draft documents and charge questions that will be provided to the SACC for this peer review. The draft technical support documents were prepared under the Toxic Substances Control Act (TSCA) and will be submitted to the SACC for peer review.” 

Pipeline Safety: Declaratory Order Procedures; Response To Petition for Reconsideration. Federal Register PHMSA petition response. Summary: “On April 24, 2026, PHMSA issued the final rule Pipeline Safety: Declaratory Order Procedures,91 FR 21968. The Pipeline Safety Trust filed a petition for reconsideration of this final rule on May 26, 2026, which challenged various issues. PHMSA denied the petition on June 11, 2026. Each of these documents is available in the rulemaking docket that is accessible on http://www.regulations.gov by searching for docket number PHMSA-2026-1537.” 

Review - Public ICS Disclosures – Week of 6-13-26 – Part 2

For Part 2 we have 11 additional vendor disclosures from Ingecon, Moxa (3), NI, Splunk (2), ThingsBoard, TP-Link, Turck, and Zyxel. Part 3 is coming tomorrow. 

Advisories  

Ingecon Advisory - INCIBE-CERT published an advisory that describes a use of broken or risky cryptographic algorithm vulnerability in the Ingecon EMS Board. 

Moxa Advisory #1 - Moxa published an advisory that describes a missing authentication vulnerability in their Serial Device Servers. 

Moxa Advisory #2 - Moxa published an advisory that describes two vulnerabilities in their Serial Device Servers. The vulnerabilities were reported by Remi ONNO of CS GROUP. 

Moxa Advisory #3 - Moxa published an advisory that describes an improper validation of specified type of input vulnerability in their Serial Device Servers. 

NI Advisory - NI published an advisory that describes seven vulnerabilities in their gRPC Device Server. 

Splunk Advisory #1 - Splunk published an advisory that describes an OS command injection vulnerability in their AI Toolkit. 

Splunk Advisory #2 - Splunk published an advisory that describes an OS command injection vulnerability in their AI Toolkit. 

ThingsBoard Advisory - JP-CERT published an advisory that describes a prototype pollution vulnerability in the ThingsBoard open-source IoT platform. 

TP-Link Advisory - TP-Link published an advisory that describes two OS command injection vulnerabilities in their TL-WR940N wireless router. 

Turck Advisory - CERT-VDE published an advisory that discusses two vulnerabilities (one with a publicly available exploit) in Turck Managed Ethernet Switches. 

Zyxel Advisory - Zyxel published an advisory that describes a stack-based buffer overflow vulnerability in their GS1900 series switches. 

For more information on these disclosures, see my article at CFSN Detailed Analysis - - subscription required. 

Review - HR 7885 Introduced – Cybersecurity Skills Integration

Back in March Rep Thompson (R,PA) introduced HR 7885, the Cybersecurity Skills Integration Act. The bill would require the Department of Education to start a pilot grant program to develop a “postsecondary career and technical education programs that integrate cybersecurity education”. The legislation would authorize $10 million to support the pilot program. 

HR 7885 is essentially identical to HR 6124, the Cybersecurity Skills Integration Act, that was introduced by Thompson in October 2023. No action was taken on that bill in the 118th Congress. 

Moving Forward 

Thompson is a member of the House Education and Labor Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see this bill considered by the Committee. I would expect to see some Republican opposition to the bill because of the $10 million price tag, but that opposition would be offset by Democratic support. I am not sure that it would receive sufficient bipartisan support to be considered in the House under the suspension of the rules process if it were to make it that far. 

Commentary 

This is the first piece of cybersecurity legislation that I have seen where it appears that the crafters of the bill really have a basic understanding of the unique dangers related to attacks on industrial control systems in process industries. In each of the first two parts of the definition of ‘cybersecurity education’ references are made to ‘control systems and operational technology’. It is in the third part of the definition, however, where those potential dangers are really addressed: 

“(C) training to ensure the continuous physical and environmental safety of the operations of critical infrastructure systems.” 

For more information on the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7885-introduced-cybersecurity - subscription required. 

Review – Bills Introduced – 6-17 thru 6-19-26

Congress.gov had some operational issues this week that made it difficult to look at the bills that were introduced on 17th, 18th, and 19th. Those issues appear to be fixed at this point, so this post will look at bills introduced during that period. The Senate was in session on the 17th and 18th, and the House met in pro forma session on the 18th. A total of 117 bills were introduced during this period. One of those bills will receive additional coverage in this blog: 

HR 9338 To amend title 49, United States Code, to improve the safety of pipeline transportation, and for other purposes. Rep. Weber, Randy K. Sr. [R-TX-14] 

For more information on these bills, including legislative history for similar bills in the 118th Congress, as well as a mention in passing of a bill stopping prior authorization requirements for repairs to powered wheelchairs, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-6-17-thru-6-19-26 - subscription required.