Review – 4 Advisories and 1 Update Published – 3-24-26

Today CISA’s NCCIC-ICS published three control system security advisories for products from Schneider (2) and Pharos Controls. They published a medical device security advisory for products from Grassroots.

Advisories

Schneider Advisory #1 - This advisory discusses four vulnerabilities (with publicly available exploit) in the Schneider Plant iT/Brewmaxx product.

Schneider Advisory #2 - This advisory describes a deserialization of untrusted data vulnerability in the Schneider EcoStruxure Foxboro DCS.

Pharos Advisory - This advisory describes a missing authentication for critical function vulnerability in the Pharos Mosaic Show Controller.

Grassroots Advisory - This advisory describes a missing release of memory after effective lifetime vulnerability in the Grassroots DICOM library.

Updates

WHILL Update - This update provides additional information on the Model C2 Electric Wheelchairs advisory that was originally reported on December 30^th, 2025.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-and-1-update-published-2f7 - subscription required.

CSB Publishes Safety Spotlight Acknowledging AFPM Actions

Yesterday the Chemical Safety Board announced the publication of a Safety Spotlight document acknowledging the American Fuel and Petrochemical Manufacturers (AFPM) for the organization’s leadership in chemical safety. Specifically, CSB noted that the AFPM took responsibility for addressing the CSB’s safety recommendation for the American Petroleum Institute (API) that resulted from the Board’s investigation of the 2018 Husky refinery explosion and fire.

The CSB notes that:

“This type of positive collaboration to implement CSB recommendations illustrates that addressing chemical safety is a shared responsibility and should be emulated by others. Such commendable action helps drive chemical safety excellence.”

NASA Sends NEPA Implementation IFR to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received an interim final rule from NASA on “Procedures for Implementing the National Environmental Policy Act”. This is part of the ongoing federal agency response to CEQ’s implantation of EO 14154 requirements to rescind National Environmental Policy Act regulations and update NEPA guidance.

According to the Spring 2025 Unified Agenda entry for this rulemaking:

“The National Aeronautics and Space Administration (NASA) is amending its existing regulations related to environmental quality at 14 CFR 1216 as directed by the Council on Environmental Quality (CEQ) per Memorandum from Executive Office of the President for Heads of Federal Departments and Agencies to meet Executive Orders requirements.”

Coverage of this IFR will fall under my limited Space Geek coverage.

HR 8029 Introduced – FY 2026 DHS Spending

Last week Rep Ciscomani (R,AZ) introduced HR 8029, the Pay Our Homeland Defenders Act. This bill would provide for spending for the Department of Homeland Security through September 30^th, 2026. For the most part this bill is the same as HR 7147, the Department of Homeland Security Appropriations Act, 2026, that is still being ‘considered’ in the Senate.

One provision from HR 7147 is not found in this new bill, §554, Repeal of Senate Notification Requirements Relating to Legal Process on Disclosures of Senate Data. The same provision was included in HR 7148 {§105, Division H}, the last FY 2026 minibus spending bill that was passed in February.

HR 8029 includes the actual text of the spending bill as Division A of the bill. Division B, Further Additional Continuing Appropriations Act, 2026, addresses the period of no funding since February 13^th, 2026. It provides the legal language authorizing back pay for DHS employees, and other obligations made by the Department during that period.

The House Rules Committee is scheduled to meet tomorrow to formulate the rule for the consideration of this bill.

Review – CSB Updates Accidental Release Reporting Data – 3-1-26

Last week the CSB updated their published list of reported chemical release incidents. They added 19 new incidents that occurred since the previous version was published in January 2026. These are not incidents that the CSB is investigating, these are incidents that were reported to the CSB under their Accidental Release Reporting rules (40 CFR 1604) through March 1^st, 2026.

The table below shows the top five states based upon the number of reported incidents since the December update was published. In this case, with the short time frame since the last update, these were the only states that had reported incident.

For more information on the updated incident reporting data, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-accidental-release-reporting-b39 - subscription required.

Forced Instant Tank Ignition

There is an interesting post over on LinkedIn where the author, Valerii Ivanov, introduces a new industrial safety term ‘forced instant tank ignition’. He uses this term to describe the type of conflagration that is increasingly being seen in the Persian Gulf region; the catastrophic failure and near instantaneous ignition of large petroleum product storage tanks caused by drone and missile strikes.

Ivanov makes the point that chemical safety programs are not equipped to protect facilities from these types of incidents. Tank failure sensors and fire suppression systems have not been designed to respond to the scope and speed of these military conflict-initiated incidents.

To be fair, safety programs have enough problems dealing with neglect, equipment failures, and human mistakes. Asking safety managers to deal with military strikes is certainly going beyond the scope of their training and fiscal support. Having said that, the current Iranian contretemps show that attacking critical industrial chemical facilities is a cheap route to effective asymmetric warfare with an impact well beyond the cost of the attack.

Ivanov points to investigating and implementing fire suppression systems that are capable of dealing with this type of instantaneous conflagration. While that would limit the effects of such attacks, safety engineering teaches that preventing incidents is more cost effective than mitigating their effects. Protecting chemical facilities from military scale drone and missile attacks is beyond the capabilities of facility security forces and requires a high-level look at the political and military calculus of point defense operations.

Smaller scale drone (both air and sea) attacks by paramilitary and terrorist forces, are certain to see an upturn in the number and effectiveness of attacks on chemical facilities after seeing their effectiveness clearly demonstrated. Facility security forces are almost certainly going to be called upon to conduct defense against these smaller scale attacks, even if government regulations continue to ignore the need for local counter drone operations.

Short Takes – 3-21-26 – Federal Register Edition

Clearance of Renewed Approval of Information Collection: Human Space Flight Requirements for Crew/Space Flight Participants. Federal Register FAA 60-day ICR renewal notice. Summary: “The collection involves information demonstrating that a launch or reentry operation involving human participants will meet the risk criteria and requirement to ensure public safety. The FAA has established requirements for human space flight crew and space flight participants as required by the Commercial Space Launch Amendments Act of 2004. On December 15, 2006, the FAA published a final rule (71 FR 75616) which established requirements for crew qualifications, training and notification, and training and informed consent requirements for space flight participants. The requirements were designed to achieve public safety and to notify participants of the risks they face from launch or reentry.”

NASA Front Door. Federal Register NASA 60-day ICR renewal notice. Summary: “The NASA Front Door (NFD) is an online/web-based tool that will serve as a centralized digital hub to help facilitate engagement between individuals, organizations, and the workforce of NASA, providing personalized support, guidance, and efficient access to NASA's extensive programs, opportunities, resources, and expertise. The information collection will consist of general contact information, interest/intake information and when appropriate, demographic information as part of registration profile. The information will be reviewed by NASA representatives to route individuals, organizations and the workforce of NASA to relevant NASA services, opportunities, resources, and/or expertise.”

Unmanned Aircraft System (UAS) Integration at Airports and Necessary Planning, Design, and Physical Infrastructure Needs. Federal Register – FAA 30-day new ICR notice. Summary: “The collection involves conducting research in the form of written responses or interviews with aviation stakeholders (e.g., airport/droneport operators, private entities, original equipment manufacturers, unmanned aircraft system (UAS) industry vendors, academia, representatives of the military, aviation stakeholders, etc.) to catalog current and planned droneport planning, design, and infrastructure needs, as well as find out which airports are integrating UAS into the airport environment. During each interview, the FAA will ask the stakeholders a specific set of questions, and if necessary, fact-specific follow-up questions will be posed to clarify and enhance the respondent's answers to the specified set of questions. If preferred, stakeholders will be able to provide written responses in lieu of an interview.”

Pipeline Safety: Request for Special Permit; Sable Offshore Corp. Federal Register PHMSA special permit comment extension. Summary: “On February 24, 2026, PHMSA published a notice to solicit public comment on a request for a special permit submitted by Sable Offshore Corp. (Sable). The comment period is currently set to expire on March 26, 2026. PHMSA is issuing this notice to extend the comment period until 14 days from the date of this notice to give the public time to review the proposed special permit in light of recent developments. At the conclusion of the extended comment period, PHMSA will review the comments received from this notice as part of its evaluation to grant or deny the special permit request.”