Review – Bills Introduced – 4-21-26

 Yesterday, with both the House and Senate in Washington, there were 59 bills introduced. Three of those bills may receive additional coverage in this blog: 

HR 8407 To direct the Under Secretary of Commerce for Standards and Technology to establish a Commission on Hazard Risk Assessment Tools, and for other purposes. Franklin, Scott [Rep.-R-FL-18] 

HR 8410 To direct the Secretary of Transportation to apply certain requirements to centralized computer-aided train-dispatching systems and centralized traffic control boards. Gillen, Laura [Rep.-D-NY-4] 

HR 8417 To amend title 49, United States Code, to require all railroad freight cars operating on the United States general railroad system of transportation to meet certain manufacturing and content requirements, and for other purposes. Moolenaar, John R. [Rep.-R-MI-2] 

For more information on these bills, including legislative history for similar bills in the 118th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-4-21-26 - subscription required. 

Review – 12 Advisories Published – 4-21-26

Today CISA’s NCCIC-ICS published 12 control system security advisories for products from SenseLive, Silex Technology, Zero Motorcycle, Hardy Barth, Siemens (8). I briefly mentioned the eight Siemens advisories on Saturday. 

Advisories  SenseLive Advisory - This advisory describes 11 vulnerabilities in the SenseLive X3050 industrial serial device server. 

Silex Advisory - This advisory describes 13 vulnerabilities in the SD-330AC and AMC Manager. 

Zero Motorcycles Advisory - This advisory describes a key exchange without entity authentication vulnerability in Zero Motorcycles. 

Hardy Barth Advisory - This advisory describes two vulnerabilities (both with publicly available exploits) in the Hardy Barth Salia EV Charge Controller.  

Siemens Advisory #1 - This advisory describes an authentication bypass by primary weakness vulnerability in the Siemens Industrial Edge Management products. 

Siemens Advisory #2 - This advisory describes an authorization bypass through user-controlled key vulnerability in the Siemens SINEC NMS network traffic monitoring software. 

Siemens Advisory #3 - This advisory discusses a numeric truncation error vulnerability in the Siemens RUGGEDCOM CROSSBOW Station Access Controller. 

Siemens Advisory #4 - This advisory discusses 15 vulnerabilities in the Siemens SCALANCE W-700 IEEE 802.11n family. 

Siemens Advisory #5 - This advisory describes an improper certificate validation vulnerability in the Siemens Analytics Toolkit. 

Siemens Advisory #6 - This advisory describes an improper verification of cryptographic signature vulnerability in the Siemens SINEC NMS network traffic monitoring software. 

Siemens Advisory #7 - This advisory describes an incorrect privilege management vulnerability in the Siemens RUGGEDCOM CROSSBOW Secure Access Manager Primary. 

Siemens Advisory #8 - This advisory discusses an out-of-bounds read vulnerability in the Siemens TPM 2.0 implementation in multiple Siemens products. 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/12-advisories-published-4-21-26 - subscription required. 

Looking Back – 3-8-11

 Nearly every morning I start my computer time by looking at information from Google about what happened in my blog in the previous 24 hours. Google, and blogspot.com is a Google service, provides interesting pieces of analytical data about my blog readership. One item of particular interest is the top ten blog posts each day. As you would expect, most of those posts were from the last couple of days, but with 16 years of publishing this blog, every once-in-a-while, a blog post from ancient history rises into that list. 

Today, a blog post from March 8th, 2011, made the list. It was a short piece (1 paragraph) about an ICS-CERT Alert for an Active X vulnerability in the WellinTech’s KingView 6.53. The link to the alert that was in the article was dead but has since been updated. Unfortunately, neither that updated Alert, nor it’s followup advisory provided a CVE number for the vulnerability. The advisory noted that an updated DLL file was available to mitigate the vulnerability. 

A little more digging this morning showed a vulnerability (CVE-2011-0406) reported by Dillon Beresford (with a Metasploit module published in September of 2010) that may be reported vulnerability. There is an interesting blog post by Dillon about the history of that vulnerability, with a follow-up post here. It is an old story, but one that unfortunately still resonates today. 

Review – Committee Hearings – Week of 4-19-26

 This week, with both the House and the Senate in Washington, there is a moderately busy hearing schedule. Budget hearings (both House and Senate) and spending bill markups (in the House) continue. There are also two Space Geek related hearings in the House. 

Spending Bill Hearings  

House  

Tuesday - Fiscal Year 2027 Military Construction, Veterans Affairs, and Related Agencies Bill, Fiscal Year 2027 Financial Services and General Government Bill, and Interim Subcommittee Allocations, 

Wednesday - Continuation Of Full Committee Markup Of Fiscal Year 2027 Financial Services And General Government Bill,  

Thursday - Subcommittee Markup Of Fiscal Year 2027 National Security, Department Of State, And Related Programs Bill And Fiscal Year 2027 Agriculture, Rural Development, Food And Drug Administration, And Related Agencies Bill. 

Space Geek Hearings 

On Tuesday, the Subcommittee on Communications and Technology of the House Energy and Commerce Committee will hold a hearing on “SAT Streamlining Act: Modernizing Satellite Licensing for the Final Frontier”.  

On Wednesday, the House Foreign Affairs Committee will hold a business meeting to consider 22 bills, including HR 8321, the Artemis Accords Authorization Act. 

For more information on these hearings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/committee-hearings-week-of-4-19-26 - subscription required.