Aircraft Cybersecurity Special Conditions

Today, the DOT’s Federal Aviation Administration (FAA) published a final special conditions notice in the Federal Register (91 FR 32325-32326) for “Honeywell International Inc., Boeing Model 757-200 Series Airplanes; Electronic System Security Protection from Unauthorized External Access”.  

The aircraft’s revised electronic system architecture and network configuration may may allow increased connectivity to and access from external network sources, and the FAA’s current certification standards do not adequately address that increased connectivity. These special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to those established by the existing airworthiness standards. 

I have previously discussed the FAA’s approach on these cybersecurity special conditions. In August of 2024, as part of a move on the part of the agency to obviate the need for these special conditions, the FAA published a notice of proposed rulemaking on “Equipment, Systems, and Network Information Security Protection”. The FAA has not yet submitted a final rule to OMB for approval. 

Today’s announced special conditions are not as extensive and inclusive as those proposed in the NPRM. Part of the reason for that is that the FAA typically provides detailed guidance on airworthiness criteria in a means of compliance (MOC) document that provides technical details to both the vendor and FAA inspectors on what the agency expects to see to meet the requirements (see my previous discussion here). 

Review – HR 8410 Introduced – Train Dispatching Systems

Last month Rep Gillen (D,NY) introduced HR 8410, the Safe Tracks Act. The bill would require DOT to revise 49 CFR 236.911 to remove the exemption for railroad dispatch systems from the train control system standards of 49 CFR Part 236 Subpart H, Standards for processor-based signal and train control systems. No new funding is authorized. 

Moving Forward  

Gillen, and three of her five cosponsors {Rep Garcia (D,IL), Rep Foushee (D,NC), and Rep Nehls (R,TX)}, are members of the House Transportation and Infrastructure Committee. This means that there may be sufficient influence to see the bill considered by the Committee. I suspect that there will be significant Republican opposition to this legislation since it would extend the regulatory coverage of train control systems to dispatch systems. That would have some costs for railroads associated with that change.  

For more information about the provisions of this bill, including a brief look at the current regulatory framework, see my article at CFN Detailed Analysis - - subscription required. 

Review - Public ICS Disclosures – Week of 5-23-26 – Part 2

For Part 2 we have 12 additional vendor disclosures from Hitachi Energy (3), JUMO, MB connect (2), METTLER TOLEDO, Moxa, NI, Phoenix Contact, and QNAP (2). 

Advisories  

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that discusses two vulnerabilities (one with publicly available exploit) in their ITT600 Explorer product. 

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that describes a heap-based buffer overflow vulnerability in their MACH HiDraw product. 

Hitachi Energy Advisory #3 - Hitachi Energy published an advisory that describes four vulnerabilities in their RTU500 product. 

JUMO Advisory - CERT-VDE published an advisory that discusses an improper input validation vulnerability (with publicly available exploit) in multiple JUMO products. 

MB connect Advisory #1 - MB connect published an advisory that describes an SQL injection vulnerability in their mbCONNECT24 and mymbCONNECT24 products. 

MB connect Advisory #2 - MB connect published an advisory that describes two vulnerabilities in in their mbNET/mbNET.rokey and mbNET.mini products. 

METTLER TOLEDO Advisory - CERT-VDE published an advisory that discusses two vulnerabilities (one with publicly available exploit) in their EVA Karl Fischer titrator software. 

Moxa Advisory - Moxa published an advisory that discusses the Copy Fail and Dirty Frag vulnerabilities. 

NI Advisory - NI published an advisory that describes a missing authentication for critical function vulnerability in their SystemLink Enterprise product. 

Phoenix Contact Advisory - Phoenix Contact published an advisory that describes two vulnerabilities in their PLCnext firmware. 

QNAP Advisory #1 - QNAP published an advisory that discusses the Dirty Frag vulnerabilities. 

QNAP Advisory #2 - QNAP published an advisory that discusses the Copy Fail vulnerability. 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-f0a - subscription required. 

Chemical Incident Reporting – Week of 5-23-26

NOTE: See here for series background. 

Yates Center, KS – 5-23-26  

Local News Report: Here and here. 

There was a small chlorine gas leak at a water treatment plant. The leak occurred during the change out of a chlorine gas bottle. One person was transported to the hospital with ‘accute chlorine exposure’. 

Possible CSB reportable. 

Fairview, OR – 5-25-26  

Local News Report: Here, here, and here. 

There was an anhydrous ammonia leak at an agricultural facility in town. One person was treated on site for exposure issues. 

Not CSB reportable. 

Bradley County, TN – 5-26-26  

Local News Report: Here, here, and here. 

There was a titanium powder flash fire in a manufacturing facility. The plant plans to be closed for 5 to 6 weeks to address safety issues. No injuries were reported. 

Not CSB reportable. 

Thorntown, IN – 5-26-26  

Local News Report: Here, here, and here. 

There was an anhydrous ammonia release from a portable agricultural tank. A nearby campground was evacuated as a precautionary measure. Two people self-transported to the local hospital for exposure issues. 

Not CSB reportable; this was a transportation related incident. 

Stickney, IL – 5-29-26  

Local News Report: Here, here, and here. 

There was an explosion and a fire at a chemical plant. No reports of injuries. 

Possible CSB reportable. 

For additional incident reports see “Weekly U.S. Hazmat Intelligence Briefing”