Review – Bills Introduced – 3-9-26

Yesterday, with the Senate in Washington and the House meeting in pro forma session, there were 44 bills introduced. One of those bills may receive additional coverage in this blog:

HR 7885 To direct the Secretary of Education to establish a pilot program to award competitive grants for the integration of cybersecurity education, and for other purposes. Thompson, Glenn [Rep.-R-PA-15]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention in passing of a bill that would deregulate non-pasteurized milk, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-3-9-26 - subscription required.

Review – HR 7384 Introduced – HF Prohibition

Last month Rep Waters (D,CA) introduced HR 7384, the Preventing Mass Casualties from Release of Hydrofluoric Acid at Refineries Act of 2026. The bill would prohibit the use of hydrogen fluoride (HF) in oil refineries. No new funding is provided by the bill.

This bill is similar to HR 10441, the Preventing Mass Casualties from Release of Hydrofluoric Acid at Refineries Act of 2024, that was introduced by Waters in December 2024. No action was taken in the House on that bill.

Moving Forward

While Waters is not a member of the House Energy and Commerce Committee to which this bill was assigned for consideration, one of her six cosponsors, Rep Barragán (D,CA), is a member. This could mean that there would be sufficient influence to see the bill considered in Committee. Unfortunately, this bill is very partisan and would be expected to be vehemently opposed by many Republicans. There is effectively no chance that this bill will be considered in the 119^th Congress.

 

For more information on the provisions of this bill, including a commentary on a possible alternative legislative solution to the problem, see my article at CFSN  Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7384-introduced-hf-prohibition - subscription required.

Review – HR 7272 Introduced – DOE Pipeline Security

Back in January Rep Webber (R,TX) introduced HR 7272, the Pipeline Cybersecurity Preparedness Act. The bill would establish Department of Energy responsibilities for physical security and cybersecurity coordination to ensure the security, resiliency, and survivability of natural gas, hazardous liquid pipelines, and liquefied natural gas facilities. No new funding is provided.

Moving Forward

On February 4^th, 2026, the House Energy and Commerce Committee held a business meeting that included consideration of HR 7272. The bill passed, without amendments by a voice vote (pages 41-2). Pending publication of the committee report on the bill, the bill is ready for consideration by the full House. I suspect that it will be considered under the suspension of the rules process and would be expected to pass with strong bipartisan support.

Commentary

The inclusion of ‘hazardous liquid pipelines’ in the provisions of this bill is a tad bit odd as they would be a PHMSA area of expertise. While it is clear that general security requirements for energy pipelines would apply to non-energy related chemical pipelines, there are specific safety requirements that would be applicable to toxic chemical pipelines (downwind chemical detection comes to mind) that are probably not necessary for energy pipelines. Having said that, all of the voluntary security measures that would be developed under this bill’s provisions would be beneficial for hazardous liquid pipelines.

 

For more information on the provisions of this bill, including additional commentary on codifying DOE security research requirements, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7272-introduced-doe-pipeline-security - subscription required.

Review – Public ICS Disclosures – Week of 2-28-26 – Part 2

For Part 2 we have five additional vendor updates from FortiGuard (2), GE Vernova, HPE, and VMware. There are 12 researcher reports about vulnerabilities in products from Biosig Project (3), Honeywell, and Philips (8). Finally, we have six exploits for products from Honeywell, Splunk, WatchGuard, and Wireshark (3).

Updates

FortiGuard Update #1 - FortiGuard published an update for their OpenSSL advisory that was originally published on January 30^th, 2026, and most recently updated on February25th, 2026.

FortiGuard Update #2 - FortiGuard published an update for their SSL-VPN bookmarks advisory that was originally published on October 14^th, 2025.

GE Vernova Update - GE published an update for their Universal Relay advisory that was originally published on December 14^th, 2025.

HPE Update - HPE published an update for their Aruba Networking EdgeConnect SD-WAN Orchestrator advisory that was originally published on January 14^th, 2026, and most recently updated on February 10^th, 2026.

VMware Update - Broadcom published an update for the VMware Aria Operations advisory that was originally published on February 24^th, 2026.

Researcher Reports

Biosig Reports - Cisco Talos published three reports about vulnerabilities in the Biosig Project libbiosig library.

Honeywell Report - Zero Science published a report that describes an improper authentication for critical function vulnerability (with publicly available exploit) in the Honeywell Trend IQ4 building controller.

Philips Reports - ZDI published eight reports of vulnerabilities in the Philips Hue Bridge product that were disclosed in a recent Pwn2Own contest.

Exploits

Honeywell Exploit - Indoushka published a Metasploit module for an improper authentication for critical function vulnerability in the Honeywell Trend IQ4 product.

Splunk Exploit - Indoushka published an exploit for a function call with incorrectly specified argument value vulnerability in the Splunk Enterprise product.

WatchGuard Exploit - WatchTowr published an exploit for an out-of-bounds write vulnerability in the WatchGuard Fireware OS product.

Wireshark Exploit #1 - Indoushka published an exploit for an allocation of resources without limit or throttling vulnerabilities in the Wireshark USB HID Protocol Dissector.

Wireshark Exploit #2 - Indoushka published an exploit for a buffer overread vulnerability in the Wireshark Dissector product.

Wireshark Exploit #3 - Indoushka published an exploit for a NULL pointer dereference vulnerability in the Wireshark Dissector product.

 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-bb7 - subscription required.

Chemical Incident Reporting – Week of 2-28-26

NOTE: See here for series background.

Belle Rose, LA – 2-23-26

Local News Report: Here, here, here, and here.

There was a catastrophic equipment failure during the pressure test of a brine well. One employee was killed; two others were airlifted to a hospital.

CSB reportable. An overpressure incident is considered to be a release of a hazardous gas because a severe injury or death resulted from the release.

Neshoba, PA – 3-3-26

Local News Report: Here.

There was a single vehicle accident involving a tractor-trailer, with the trailer overturning and spilling ammonium nitrate fertilizer. No injuries were reported.

Not CSB reportable, transportation related.

Swedesboro, NJ– 3-4-26

Local News Report: Here, here, here, and here.

There was an apparent propane explosion at a food processing facility. Four employees were hospitalized in critical condition. There was extensive damage to the facility and neighboring properties. Building damage was reported as far as a mile away from the incident.

Note: Propane and butane are used to extract cocoa butter from cocoa beans, a process that may have been at use in this facility.

CSB reportable.

Ft Mill, SC – 3-5-26

Local News Report: Here, here, here, and here (this is for the earlier spill).

There was a hydrofluoric acid spill at a manufacturing facility. No injuries were reported. An adjacent elementary school canceled classes due to the spill.

NOTE: This was the second hazardous materials spill reported at the facility this week. The South Carolina Department of Environmental Services ordered the facility to cease operations until an inspection of the facilities Risk Management Plan could be completed by the State agency and the US EPA.

Not CSB reportable.

CSB Added Woodland Pulp Incident to Active Investigations List

Yesterday the US Chemical Safety Board (CSB) updated their Current Investigations page to add their investigation into the January 27^th, 2026 fatal release of hydrogen sulfide from the process server at the Woodland Pulp facility in Baileyville, ME. Initial reports indicated that the mixing of chemicals in the process sewer resulted in the formation of the hydrogen sulfide. One college intern was killed and nine other workers on the site were injured.

The Board had announced that it was beginning an investigation on February 9^th, 2026.

This brings the number of open CSB investigations to eight.

Review – Public ICS Disclosures – Week of 2-28-26 – Part 1

This week we have bulk vendor disclosures from Broadcom (23). There are 12 additional vendor disclosures from Belden, Dell, Endress+Hauser, HP (2), HPE, Mettler Toledo, Philips, Sick, and WatchGuard (3). We also have 4 vendor updates from Broadcom (4).

Advisories

Belden Advisory - Belden published an advisory that discusses the BlastRadius.Fail vulnerability.

Dell Advisory - Dell published an advisory that discusses 86 vulnerabilities in their ThinOS product.

Endress+Hauser Advisory - CERT-VDE published an advisory that discusses an out-of-bounds write vulnerability in the Endress+Hauser CC 100 and PFC 200 products.

HP Advisory #1 - HP published an advisory that describes an incorrect default permissions vulnerability in their Event Utility product.

HP Advisory #2 - HP published an advisory that describes a use of hard-coded cryptographic key vulnerability in their SIP Service Providers products.

HPE Advisory - HPE published an advisory that describes six vulnerabilities in their Aruba Networking Wireless Operating Systems.

Mettler Toledo Advisory - CERT-VDE published an advisory that discusses an HTTP request/response smuggling vulnerability (with publicly available exploit) in the Mettler Toledo LabX product.

Philips Advisory - Philips published an advisory that discusses two Cisco Secure Firewall Management Center vulnerabilities.

Sick Advisory - Sick published an advisory that describes two files or directories accessible to external parties vulnerabilities in their Lector85x and Lector83x products.

WatchGuard Advisory #1 - WatchGuard published an advisory that describes an expected behavior violation vulnerability in their FirewareOS products.

WatchGuard Advisory #2 - WatchGuard published an advisory that describes a cross-site scripting vulnerability in their Fireware OS Web UI products.

WatchGuard Advisory #3 - WatchGuard published an advisory that describes an out-of-bounds write vulnerability in their Fireware OS products.

Updates

Broadcom Update #1 - Broadcom published an update for their Fabric OS Web application advisory that was originally published on May 10^th, 2021.

Broadcom Update #2 - Broadcom published an update for their Fabric OS advisory that was originally published on September 27^th, 2024, and most recently updated on January 28^th, 2026.

Broadcom Update #3 - Broadcom published an update for their Brocade SANnav advisory that was originally published on October 15^th, 2024, and most recently updated on February 19^th, 2026.

Broadcom Update #4 - Broadcom published an update for their Brocade ASCG advisory that was originally published on January 8^th, 2025, and most recently updated on February 19^th, 2026.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-04b - subscription required.