Chemical Incident Reporting – Week of 4-18-26

 NOTE: See here for series background. 

Blaine, WA – 4-18-26  

Local News Report: Here, here, and here. 

There was a possible explosion at an oil refinery during a turnaround operation. Three people were transported to local hospitals and held at least overnight. No details are available. 

CSB reportable. 

Great Barrington, MA – 4-19-26  

Local News Report: Here. 

There was a residential garage fire involving pool chemicals. No injuries were reported. The fire was limited to the garage. Nearby homes were evacuated due to the presence of the pool chemicals. 

Not CBS reportable. 

Ottawa, IL – 4-20-26  

Local News Report: Here and here. 

There was an explosion and fire at a magnesium processing facility. Two employees were transported to local hospitals. Minimal damage to the facility was reported. 

Possible CSB reportable. 

Nitro, WV – 4-22-26  

Local News Report: Here, here, and here. 

There was an unexpectged chemical reaction that led to the release of hydrogen sulfide. Two people were killed and 19 transported to local hospitals for chemical exposure treatment. Parts of the facility were being dismantled when the incident occurred. 

CSB reportable and CSB team on scene. 

Review - PHMSA Publishes 39 Pipeline Safety Rules – 4-24-26

 Yesterday, DOT’s Pipeline Hazardous Materials Safety Administration (PHMSA) published 30 final rules and nine proposed rules in the Federal Register. I am not planning any detailed coverage of any of these final rules or proposed rules. 

For a lists (with associated links) of each final rule and proposed rule, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/phmsa-publishes-39-pipeline-safety - subscription required. Free subscribers will receive a copy of that article tomorrow night.  

OMB Approves FAA UAS ‘No Fly’ Designation NPRM

 Yesterday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking from the FAA on “Designation - Restrict the Operation of an Unmanned Aircraft in Close Proximity to a Fixed Site Facility”. The NPRM was submitted to OIRA on May 13th, 2025. 

According to the Spring 2025 Unified Agenda entry for this rulemaking: 

“This action would implement section 2209, Applications for designation, of Public Law 114-190 [link added], the FAA Extension, Safety and Security Act of 2016 (130 Stat. 634). Specifically, this rule would establish the criteria and procedures for the operator or proprietor of eligible fixed site facilities to apply to the FAA for an unmanned aircraft-specific flight restriction. In addition, this rule would establish the substantive criteria based on the enumerated statutory considerations (i.e. national security and aviation safety) that the FAA will use in determining to grant or deny a petition, as well as the procedures for notifying the petitioner of the determination made and the process for resubmission of any denial. Lastly, this rule would establish the process to be used by the FAA to implement the unmanned aircraft-specific flight restriction and notify the public.” 

Interestingly, that entry has a different set of legal deadlines for publishing the NPRM and Final Rule. The new publication deadlines were set by Sec 929 of the FAA Reauthorization Act of 2024 (PL 118-63,138 Stat. 1365). That section made a minor amendment to the wording of the earlier Sec 2209 and set the new deadlines. 

I expect that the NPRM will be published in the Federal Register next month. 

Review – Public ICS Disclosures – Week of 4-18-26 – Part 1

 This is a moderately busy disclosure week. For Part 1 we have nine vendor disclosures from CODESYS (3), Endress+Hauser, Helmholz, HP, Mettler Toledo, Moxa, and Phoenix Contact. 

Advisories  

CODESYS Advisory #1 - CODESYS published an advisory that describes an improper check for unusual or exception conditions vulnerability in their EtherNetIP product. 

CODESYS Advisory #2 - CODESYS published an advisory that describes the use of an externally controlled format string vulnerability in their Control V3 product. 

CODESYS Advisory #3 - CODESYS published an advisory that describes an incorrect resource transfer between spheres vulnerability in their Control V3 product. 

Endress+Hauser Advisory - CERT-VDE published an advisory that discusses an inclusion of functionality from untrusted control sphere vulnerability (with publicly available exploits and listed in CISA’s KEV catalog) in the Endress+Hauser MCS200HW emission analyzer. 

Helmholz Advisory - CERT-VDE published an advisory that discusses an exposure of sensitive information to an unauthorized actor vulnerability (with publicly available exploits) in the Helmholz WALl IE Standard 4-Port product. 

HP Advisory - HP published an advisory that discusses three vulnerabilities in multiple HP product lines. 

Mettler Advisory - CERT-VDE published an advisory that discusses an out-of-bounds write vulnerability in the Mettler MR and MX balances. 

Moxa Advisory - Moxa published an advisory that discusses an origin validation error vulnerability in their ethernet switches.  

Pheonix Contact Advisory - Pheonix Contact published an advisory that discusses two vulnerabilities (one with publicly available exploits) in multiple Pheonix Contact product lines. 

For more information on these disclosures, including links to 3rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-943 - subscription required.