Review – 5 Advisories Published – 2-10-26

Today CISA’s NCCIC-ICS published four control system security advisory for products from AVEVA (2), ZLAN Information Technology, and Yokogawa. They also published a medical device security advisory for products from ZOLL.

 

Advisories

 

AVEVA Advisory #1 - This advisory describes an insertion of sensitive information into a log file vulnerability in the AVEVA PI to CONNECT Agent.

AVEVA Advisory #2 - This advisory describes an uncaught exception vulnerability in the AVEVA PI Data Archive.

ZLAN Advisory - This advisory describes two missing authentication for critical function vulnerabilities in the ZLAN ZLAN5143D.

Yokogawa Advisory - This advisory describes 14 vulnerabilities in the Yokogawa FAST/TOOLS product.

ZOLL Advisory - This advisory describes an insertion of sensitive information into externally-accessible file or directory vulnerability in the ZOLL ePCR IOS Mobile Application.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-published-2-10-26 - subscription required.

Short Takes – 2-10-26 – Federal Register Edition

Normalizing Unmanned Aircraft Systems Beyond Visual Line of Sight Operations; Reopening of Comment Period; Denial of Extension. Federal Register FAA extension denial. Summary: “This action denies requests for extension of the reopening [link added] of the comment period for the notice of proposed rulemaking (NPRM) titled “Normalizing Unmanned Aircraft Systems Beyond Visual Line of Sight Operations” that was published in the Federal Register on January 28, 2026.”

Agency Information Collection Activities; Notice and Request for Comment; Distraction: Modern Voice Command Interfaces. Federal Register NHTSA 60-day ICR notice for new ICR. Summary: “This document describes a collection of information for which NHTSA intends to seek OMB approval to conduct research on safety-related aspects of voice command interfaces (VCIs), specifically how VCIs affect distracted driving behavior and cognitive workload.”

Reduction in Force Appeals. Federal Register OPM notice of proposed rulemaking. Summary: “The Office of Personnel Management (OPM) is issuing a proposed rule to revise its regulations governing appeals of reduction-in-force (RIF) actions. OPM proposes to transfer appeal rights for employees who have been furloughed more than 30 days, separated, or demoted by a RIF action from the Merit Systems Protection Board (MSPB) to OPM. OPM expects this change will promote greater efficiency and reduce costs to agencies in effectuating RIF actions, which may be necessary in a variety of circumstances, such as to eliminate duplicative or unnecessary functions or align agency workforces with new technology, changing mission needs, or budgetary constraints.”

Hazardous Materials: Preemption Application From Exxon Mobil Corporation; Extension of Comment Period. Federal Register PHMSA extension of comment period. Summary: “PHMSA is extending the period for comments on Exxon Mobil Corporation's application for an administrative determination as to whether the Federal hazardous material transportation law (HMTA) preempts certain state common law tort claims against it regarding the marking, employee training, loading and unloading, and hazardous material classification for gasoline transported by cargo tank motor vehicle.”

CSB Announces Investigation of Industrial Sewer Gas Incident

Yesterday the Chemical Safety Board announced that it was opening an investigation into the fatal chemical release that occurred on January 27, 2026, at the Woodland Pulp, LLC facility in Baileyville, Maine. For news reports about the incident, see here, here, and here. CSB investigators are already on the scene.

Yesterday’s announcement notes that:

“According to initial information submitted by the company to the CSB, the incident may have involved the mixing of concentrated sulfuric acid with sulfurous compounds in an enclosed process sewer, resulting in the generation and release of hydrogen sulfide, a highly toxic gas, in the Bleach Plant area of the facility.”

This incident has not yet been added to the list of CSB’s open investigations. That is not unusual. I would expect to see it added in two to three weeks, after additional internal review of information obtained by investigators. There are nine current investigators listed on the CSB site.

Commentary

Process sewers in chemical manufacturing facilities are a relatively unregulated and often overlooked process safety hot spot. Local permits set limits on what can be sent to local wastewater treatment facilities through these systems and process wastes are typically tested against those standards. EPA regulations about hazardous-waste treatment limit what facilities can do in the way of processing these waste streams without a hazardous waste treatment permit; usually just pH adjustments (often with concentrated sulfuric acid) and solids and oil/grease separations.

While compatibility testing of various waste streams is often not tested, process knowledge should be able to identify potential issues. But, even then, process upsets and on-the-fly processing of those upsets, may produce unexpected waste streams that could pose unanticipated compatibility issues.

Review – Bills Introduced – 2-9-26

Yesterday, with both the House and Sente in Washington, there were 60 bills introduced. One of those bills will receive additional coverage in this blog:

HR 7448 To direct the Secretary of Homeland Security to develop a strategy to modernize the National Terrorism Advisory System, and for other purposes. Pou, Nellie [Rep.-D-NJ-9] 

 

For more information on this bill, including legislative history for similar bills in the 118^th Congress, as well as a mention in passing about a bill that would prohibit weather modification, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-2-9-26 - subscription required.

Short Takes – 2-9-26

Covert recording is easy, which is the problem. PenTestPartners.com article. Pull quote: “If you are running sensitive meetings, it is worth treating covert recording as a practical risk. Set expectations on recording, keep tighter control of visitors and unattended spaces, use suitable rooms for sensitive conversations, train staff on what to do if they suspect a device, and escalate concerns through a clear internal process. This is basic physical security hygiene, but it matters because the barrier to misuse is so low.”

Covid pandemic’s disruption of industrial activity drove surge in methane in early 2020s. ChemistryWorld.com article. Pull quote: “Methane levels in the atmosphere grew at over 16 parts per billion per year between 2020 and 2022, double the rate of increase in the years either side of the surge. Researchers previously suggested that the combination of an increase in natural methane emissions and fewer hydroxy radicals in the atmosphere drove the sharp increase,1 with each contributing equally. Methane is a potent greenhouse gas with a warming potential that is around 30 times greater than carbon dioxide over a 100 year period.”

Hacking Attack Leaves Russian Car Owners Locked Out of Their Vehicles. – Forta.com article. Summary: “Security-critical components need to be designed with the assumption that remote systems will fail at some point, whether due to accident or malicious attack. Having a graceful fallback that does not leave drivers stranded would be a good start.”

The Drone Wasn’t the Point: Escalation in the Age of Unmanned Probing. LinkedIn.com Pulse article. Pull quote: “Iran does not need to destroy a carrier to achieve its objectives. It needs to normalize close approaches, collect reaction data, stress command and control systems, increase the frequency of high-consequence decisions, and raise the probability of miscalculation over time.”

Tear gas and pepper spray can have lasting health effects. ScienceNews.org article. Pull quote: “But the long-term health risks are poorly understood. No large, systematic studies have investigated the health problems that emerge long after exposure to these chemicals, says Anthony Szema, chair of the American Thoracic Society’s Section on Terrorism and Inhalation Disasters. Some research, though, has painted a picture of enduring repercussions. For weeks and even months after the immediate moments of exposure, crowd control agents can continue to sabotage the organs that allow us to breathe, pump blood and even make life.”

Las Vegas bio lab raid possibly tied to California case, federal Chinese investigation. 8NewsNow.com article. Pull quote: “Shortly before 6 a.m., a Metro SWAT team served a search warrant at the home on Sugar Springs Drive near Washington Avenue and Hollywood Boulevard to search for a possible “biological laboratory” inside the home. A second location was also searched, but no lab was located.”

2025 Threat Report: Exploitation Grows Across IT, IoT, and OT. Forescout.com article. Pull quote:

 “242 vulnerabilities were added to CISA KEV — a 30% YoY increase YoY.

"285 vulnerabilities were added to the Vedere Labs KEV — a 213% YoY increase.

"71% of exploited vulnerabilities were not in CISA KEV, indicating attackers continue to exploit issues not prioritized by major advisories.

"One of the most exploited vulnerabilities affected Langflow, showing AI development tools are prime targets as AI adoption grows.”

Backlog List

• Airgas Hazardous Material Cargo Tank Leak,

• Global analysis identifies trends in platform chemical research,

• A path to creating polarized OLED displays,

• OT Network Security Threats: Industrial Routers Under Attack,

• China figured out how to sell EVs. Now it has to deal with their aging batteries,

• Without railway reform, your town could be the next East Palestine,

• The quest to hatch a bird-flu vaccine,

• Long-COVID research just got a big funding boost: will it find new treatments?

• MAP: Influenza hitting these states hardest as ‘super flu’ continues to spread, and

• An underwater volcano off Oregon didn’t erupt in 2025 after all. Why not?

Review – Committee Hearings – Week of 2-8-26 –

This week with both the House and Senate in Washington there is a relatively light hearing schedule. The high profile hearing this week will be the House Homeland Security oversight hearing on ICE, CBP, and USCIS. Of more interest here are two markup hearings and an oversight hearing for the remainder of DHS.

Markup Hearings

On Tuesday the Subcommittee on Commerce, Manufacturing, and Trade of the House Energy and Commerce Committee will hold a business meeting to mark up 12 bills, including HR 7390, the SAFE DRIVE Act.

On Wednesday the Senate Commerce, Science, and Transportation Committee will hold a business hearing to mark up eight bills, including S 3639, the SAT Streamlining Act, and S 1898, the ORBITS Act. This hearing was originally scheduled for February 3^rd, 2026.

Oversight Hearing

On Wednesday the Subcommittee on Homeland Security of the House Appropriations Committee will hold an oversight hearing looking at “Oversight Hearing – Potential DHS Shutdown Impacts”.

 

For more information on these hearings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/committee-hearings-week-of-2-8-26 - subscription required.

Review – Public ICS Disclosures – Week of 1-31-26 – Part 2

For Part 2 we have four additional vendor disclosures from Sick (3) and Zyxel. There are seven vendor updates from Broadcom (3), ELECOM (2), HPE, and Moxa. Finally, we have an exploit for products from MySCADA.

Advisories

Sick Advisory #1 - Sick published an advisory that describes 15 vulnerabilities in their TDC-X401GL telematic data collector.

Sick Advisory #2 - Sick published an advisory that describes 12 vulnerabilities
(one with publicly available exploit) in their Incoming Goods Suite.

Sick Advisory #3 - Sick published an advisory that discusses an out-of-bounds read vulnerability in their nanoScan3 and microScan3 products.

Zyxel Advisory - Zyxel published an advisory that describes an OS command injection vulnerability in their ZLD firewalls.

Updates

Broadcom Update #1 - Broadcom published an update for their Brocade Fabric advisory that was originally published on January 27^th, 2026.

Broadcom Update #2 - Broadcom published an update for their Brocade Fabric OS advisory that was originally published on January 27^th, 2026.

Broadcom Update #3 - Broadcom published an update for their Brocade Fabric OS advisory that was originally published on January 27^th, 2026.

ELECOM Update #1 - JPCERT published an update for their ELECOM wireless LAN routers advisory that was originally published on August 27^th, 2024, and most recently updated on February 12^th, 2025.

ELECOM Update #2 - JPCERT published an update for their ELECOM wireless LAN routers advisory that was originally published on March 26^th, 2024, and most recently updated on November 26^th, 2024.

HPE Update - HPE published an update for their HPE ProLiant DL/ML/XD, Alletra, and Synergy Servers advisory that was originally published on December 12^th, 2025, and most recently updated on January 5^th, 2026.

Moxa Update - Moxa published an update for their Diffie-Hellman Key Exchange Protocol advisory that was originally published on June 2^nd, 2025, and most recently updated on January 5^th, 2026.

Exploits

MySCADA Exploit - Indoushka published an exploit for an OS command injection vulnerability in the MySCADA MyPRO Manager product.