Reader Comment – API & ASME CSB Responses

Yesterday William Sommer, MBA, PE left a comment on LinkedIn on my note about my blog post on the CSB’s video on the Yenkin-Majestic Resin Plant Vapor Cloud Explosion and Fire. He asked:

“I was struck by one of the recommendations for the API and ASME to provide design, construction, alteration guidance for low pressure vessels in flammable or highly hazardous chemical service: Does anyone know status and where to find?”

I have no insight into the status of the development of the design criteria within the American Petroleum Institute (API) and the American Society of Mechanical Engineers (ASME). I can, however, provide a little more information on the CSB’s take on the status of these recommendations; the data comes from the CSB’s Recommendations Statistics page and the September 23^rd, 2025, downloadable spread sheet on that page. Both recommendations were issued on November 30^th, 2023. The table below summarizes the pertinent data about the two recommendations.

 

 

The text of the API recommendation:

“Develop specific design, construction, and alteration guidance for low-pressure process vessels in flammable and other highly hazardous chemicals service not exceeding an internal pressure of 15 psig in API 510 Pressure Vessel Inspection Code, API RP 572 Inspection Practices for Pressure Vessels, and/or other appropriate products. At a minimum, include guidance for:  (i) determining and documenting the low-pressure vessel’s design pressure (such as through a data sheet and a nameplate affixed to the vessel); (ii) determining when or if all or parts of the ASME Boiler and Pressure Vessel Code should be applied; (iii) acceptable alternative engineering methods, if applicable; and, (iv) alteration requirements, such as design assessments, inspections, and pressure testing.”

The text of the supporting ASME recommendation:

“Assist API in developing design, construction, and alteration guidance for low-pressure vessels in flammable and other highly hazardous chemicals service not exceeding an internal pressure of 15 psig. If any new design and construction guidance is specifically developed for pressure vessels in flammable and other highly hazardous chemicals service not exceeding an internal pressure of 15 psig, reference the design and construction guidance in the Section VIII, Division 1 of the ASME Boiler and Pressure Vessel Code (BPVC).”

Even with a reasonable degree of consensus on the need for standards changes, it takes some time to develop, write and reach consensus on these sorts of things. It does seem to me that two years is not an unreasonable amount of time to be working on such a standard.

If anyone has any information on if/how progress is being made within API or ASME, please let me know.

Review – 4 Advisories and 3 Updates Published – 12-16-25

Today CISA’s NCCIC-ICS published four control system security advisories for products from Mitsubishi Electric, Hitachi Energy, Johnson Controls, and Güralp Systems. They also updated advisories for products from Fuji Electric, Johnson Controls, and Mitsubishi Electric.

Advisories

Mitsubishi Advisory - This advisory describes a cleartext storage of sensitive information vulnerability in the Mitsubishi GT Designer3 products.

Hitachi Energy Advisory - This advisory discusses the BlastRadius-Fail vulnerability.

NOTE: I briefly discussed this vulnerability on November 1^st, 2025.

Johnson Controls Advisory - This advisory describes four vulnerabilities in the Johnson Controls PowerG, IQPanel and IQHub products.

Güralp Advisory - This advisory describes an allocation of resources without limit or throttling vulnerability in the Güralp Fortimus, Minimus, and Certimus product series.

Updates

Fuji Update - This update provides additional information on the Fuji Monitouch V-SFT-6 advisory that was originally published on November 4^th, 2025.

Johnson Controls Update - This update provides additional information on the Johnson Controls iSTAR Ultra advisory that was originally published on August 12^th, 2025.

Mitsubishi Update - This update provides additional information on the Mitsubishi GENESIS advisory that was originally published on May 20^th, 2025, and most recently updated on August 28^th, 2025.

I briefly discussed this update on August 9^th, 2025.

For more information on these advisories, including a brief description of the CISA advisory format change, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-and-3-updates-published - subscription required.

Review - HR 3435 Introduced – Federal Cyber Workforce Training

Back in May Rep Fallon (R,TX) introduced HR 3435, the Federal Cyber Workforce Training Act of 2025. The bill would require the National Cyber Director to formulate a plan for the establishment of a federal cyber training institute. It does not authorize the actual establishment of the institute, that would require subsequent legislation. The bill specifically does not authorize new spending.

This bill is essentially the same as to HR 9520 that was introduced by Fallon in September 2024. No other action was taken on HR 9520 in the 118^th Congress.

Moving Forward

Fallon is a member of the House Oversight and Accountability Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. With new spending being prohibited, I see nothing in this bill that would engender any organized opposition. I suspect that the bill would receive some level of bipartisan support, perhaps enough that it could be considered under the suspension of the rules process.

Commentary

While the proposed institute is not a cybersecurity institute, all cyber work roles should include some level of cybersecurity responsibilities. I think it would be helpful to delineate a responsibility for the institute to establish a minimum level of cybersecurity training for all cyber personnel. To that end, I would like to suggest the insertion of a new §2(b)(2)(C):

“(C) establish a common skill level cybersecurity curriculum for all entry level positions and a more advanced cybersecurity training program for personnel transitioning to mid-career level positions;”

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-3435-introduced-federal-cyber - subscription required.

Short Takes – 12-16-25 – Federal Register Edition

Information Collection: NASA Virtual Launch Guest Watch Party Registration. Federal Register NASA 30-day ICR reinstatement notice. Summary: “The Virtual Guest Program exists to leverage the excitement around launches and milestones to widely disseminate information about Earth and space phenomena through the sharing of information about research on launches, mission objectives, public engagement activities (coloring pages, social media filters) and the like. The program provides registration opportunities for individuals and watch parties so that NASA may provide them the specific information they are interested in receiving and to share a detailed slice of the NASA efforts in carrying out the other portions of the Space Act of 1958. By learning the information from the plans of Watch Party organizers, NASA can best provide appropriate resources and share information about its activities and results.” Comments due January 14^th, 2026.

Protecting the Nation's Communications Systems From Cybersecurity Threats. Federal Register FCC order on reconsideration. Summary: “In this document, the Federal Communications Commission (“Commission” or “FCC”) announces that it has reconsidered and rescinded a prior Declaratory Ruling and Notice of Proposed Rulemaking, neither of which had been published in the Federal Register. The Declaratory Ruling misconstrued the Communications Assistance for Law Enforcement Act (CALEA), and the Notice of Proposed Rulemaking was based in part on the Declaratory Ruling's flawed legal analysis and proposed ineffective cybersecurity requirements. This Order follows the FCC's engagement with providers to help strengthen their cybersecurity posture.”

EO 14365 - Ensuring a National Policy Framework for Artificial Intelligence. Federal Register.

EO 14366 - Protecting American Investors from Foreign-Owned and Politically-Motivated Proxy Advisors. Federal Register.

Short Takes – 12-15-25 – Space Geek Edition

Starfish Space and Impulse Space demonstrate autonomous spacecraft proximity operations. SpaceNews.com article. Pull quote: “What distinguished the demonstration from previous rendezvous and proximity operations, or RPO, tests was that the approaching Mira relied on only a single camera to close in on the other spacecraft. The camera fed images into a computer running Starfish’s CETACEAN and CEPHALOPOD software, which generated navigation data and maneuver commands for the LEO Express 2 vehicle.”

New Earth Mini-Moon Asteroid 2025 PN7 Discovered. Astronex.net article. Pull quote: “The asteroid 2025 PN7 belongs to the Arjuna class of near-Earth objects, known for their Earth-like orbits with low eccentricity and inclination. This classification means it maintains a stable relationship with Earth without being bound by our gravity like the Moon. Researchers have confirmed its status through detailed orbital calculations, showing it has been in this configuration for about 60 years and will continue for another roughly 60 years. This makes 2025 PN7 the newest addition to a small group of known quasi-satellites, providing valuable insights into orbital mechanics and the distribution of asteroids near Earth.”

MetaSeismic material mitigates vibration and shock in NASA Marshall testing. SpaceNews.com article. Pull quote: ““The technology is interesting because it offers a damping solution for vibrations that comes in a smaller form factor than other solutions that we may typically use,” Aaron Miller, NASA Marshall lead structural integration engineer, told SpaceNews. “It’s custom tunable for the specific vibration environment that the hardware, whether it be avionics, a battery or something else, may experience.””

Einstein was right: Time ticks faster on Mars, posing new challenges for future missions. LiveScience.com article. Pull quote: “The analysis showed that Martian clocks tick faster, when measured from Earth, than Earth-based ones by an average of 477 microseconds per Earth day. Strikingly, though, this value varies daily by 226 microseconds (about half the offset's value itself) over a Martian year. The variation stems from the egg-like shape of Mars’ orbit and changes in the gravitational tugs of its celestial neighbors as they approach and twirl away from Mars.”

Voyager 1 will reach one light-day from Earth in 2026. Here’s what that means. MSN.com article. Pull quote: ““If I send a command and say, ‘good morning, Voyager 1,’ at 8 a.m. on a Monday morning, I’m going to get Voyager 1’s response back to me on Wednesday morning at approximately 8 a.m.,” Dodd said.”

NASA Unveils a Space Station Mockup Designed for Commercial Spaceflight | NewsRadio 740 KTRH. UFOFeed.com article: pull quote: “NASA is working with Space Lab to create a first design to be used for future space stations. The plan is to kick off the commercial spaceflight program allowing private companies to open the program to customers who would like to explore space, with less government funding as private entities take over. “They’re selling research time to Nasa but they’re also hoping to go out and find business customers who want to do research in zero gravity.” He said.”

Overview Energy Emerges From Stealth. UFOFeed.com article. Pull quote: ““Our airborne milestone proved that the core transmission system works in motion—the same foundation that will operate in orbit,” Marc Berte, Overview’s founder and CEO, said in a statement. “Space solar energy will only matter when it powers real demand on Earth, and we’re designing for that scale from Day 1.””

How one controversial startup hopes to cool the planet. TechnologyReview.com article. Pull quote: “But numerous researchers focused on solar geoengineering are deeply skeptical that Stardust will line up the government customers it would need to carry out a global deployment as early as 2035, the plan described in its earlier investor materials—and aghast at the suggestion that it ever expected to move that fast. They’re also highly critical of the idea that a company would take on the high-stakes task of setting the global temperature, rather than leaving it to publicly funded research programs.”

Backlog List

• China’s Shijian spacecraft separate after pioneering geosynchronous orbit refueling tests,

• Potentially hazardous' asteroid 2024 YR4 was Earth's first real-life planetary defense test,

• It’s time to give NASA an astrophysics nervous system,

• The U.S. Senate vs. the Athena Plan — NASA on trial,

• 30 years of SOHO staring at the sun | Space photo of the day for Dec. 2, 2025, and

• A dying satellite could use its final moments to photograph the infamous asteroid Apophis in 2029.

Review – Committee Hearings – Week of 12-15-25

This week, with both the House and Senate preparing to close out this year’s session, there is a relatively light hearing schedule. In the House we have one markup hearing of potential interest, an advanced cybersecurity hearing, and a biosecurity hearing. The Senate will hold an FCC oversight hearing that may include items of interest.

Markup Hearings

On Tuesday the Subcommittee on Communications and Technology of the House Energy and Commerce Committee will hold a business meeting where seven bills will be considered.

Cybersecurity

On Wednesday two subcommittees of the House Homeland Security Committee will hold a joint hearing on “The Quantum, AI, and Cloud Landscape: Examining Opportunities, Vulnerabilities, and the Future of Cybersecurity”.

Biosecurity

On Wednesday the Subcommittee on Oversight and Investigations of the Energy and Commerce Committee will hold a hearing on “Examining Biosecurity at the Intersection of AI and Biology”.

FCC Oversight

On Wednesday the Senate Commerce, Science, and Transportation Committee will hold an oversight hearing on the Federal Communications Commission (FCC).

 

For more information on these hearings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/committee-hearings-week-of-12-15 - subscription required.

Review – Public ICS Disclosures – Week of 12-6-25 – Part 2

For Part 2 we have nine bulk disclosures from Siemens. There are five additional vendor disclosures from Dell, Pheonix Contact, Schneider (2), and WAGO. There are 14 bulk updates from HP (6) and Siemens (8). We also have three other vendor updates from Hitachi Energy, Moxa, and Schneider. There is a researcher report on vulnerabilities in products from the Biosig Project (6). Finally, we have four exploits for products from Broadcom, Palo Alto Networks, and React Server Components (2).

Bulk Disclosures – Siemens

• Denial of service Vulnerability in Interniche IP-Stack based Industrial Devices,

• Multiple Vulnerabilities in RUGGEDCOM ROX Before V2.17,

• Multiple Vulnerabilities in SINEC Security Monitor before V4.10.0,

• Denial of Service Vulnerability in Ruggedcom ROS devices before V5.10.1,

• File Parsing Vulnerability in Simcenter Femap Before V2512,

• Multiple Vulnerabilities in SICAM T Before V3.0,

• Multiple Vulnerabilities in SIMATIC CN 4100 Before V4.0.1,

• Multiple Vulnerabilities in COMOS, and

• Multiple Vulnerabilities in Ruggedcom Rox Before V2.17.0.

Advisories

Dell Advisory - Dell published an advisory that discusses 36 vulnerabilities in their ThinOS product.

Pheonix Contact Advisory - Pheonix Contact published an advisory that describes 14 vulnerabilities in their SWITCH 2xxx Firmware.

Schneider Advisory #1 - Schneider published an advisory that discusses an exposure of sensitive information to unauthorized actor vulnerability in multiple Schneider products.

Schneider Advisory #2 - Schneider published an advisory that discusses a deserialization of untrusted data vulnerability in their EcoStruxure Foxboro DCS Advisor.

WAGO Advisory - CERT-VDE published an advisory that describes two stack-based buffer overflow vulnerabilities in the WAGO Industrial-Managed Switches.

Bulk Updates – HP

• NVIDIA GPU Display Driver October 2025 Security Update,

• NVIDIA GPU Display Driver July 2025 Security Update,

• Certain HP LaserJet Pro Printers – Potential Information Disclosure,

• AMD CPU Microcode Security Update,

• HP System Event Utility and Omen Gaming Hub – Potential Arbitrary Code Execution, and

• Intel System Security Report and System Resources Defense.

Bulk Updates – Siemens

• Deserialization Vulnerability in Siemens Engineering Platforms before V20,

• RADIUS Protocol Susceptible to Forgery Attacks (CVE-2024-3596) - Impact to SCALANCE, RUGGEDCOM and Related Products,

• Deserialization Vulnerability in Siemens Engineering Platforms,

• Buffer Overflow Vulnerability in Third-Party Component in SICAM and SITIPE Products,

• Deserialization Vulnerability in Siemens Engineering Platforms,

• Buffer Overflow Vulnerabilities in OpenSSL 3.0 Affecting Siemens Products,

• Local Arbitrary Code Execution Vulnerability in Siemens Engineering Platforms before V20, and

• DLL Hijacking Vulnerability in Siemens Web Installer used by the Online Software Delivery.

Updates

Hitachi Energy Update - Hitachi Energy published an update for their Relion 670/650 advisory that was originally published on June 24^th, 2025, and most recently updated on August 26^th, 2025.

Moxa Update - Moxa published an update for their ICMP Timestamp Request advisory that was originally published on October 21^st, 2025, and most recently updated on October 27^th, 2025.

Schneider Update - Schneider published an update for their Altivar Process Drives advisory that was originally published on September 9^th, 2025, and most recently updated on October 14^th, 2025.

Researcher Reports

Biosig Project Report - Cisco Talos published a report that describes six stack-based buffer overflow vulnerabilities in the Biosig Project libbiosig library.

Exploits

Broadcom Exploit - Indoushka published an exploit for an improper restriction of operations within the bounds of a memory buffer vulnerability in the Broadcom Wi-Fi Firmware.

Palo Alto Networks Exploit - Indoushka published an exploit for a deep-packet inspection vulnerability in the PanOS.

RSC Exploit #1 - Indoushka published a scanner for, and an exploit of, the deserialization of untrusted data vulnerability in React Server Components.

RSC Exploit #2 - Maksim Rogov, et al, published a Metasploit module for the the deserialization of untrusted data vulnerability in React Server Components.

 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-0c5 - subscription required.

CISA Adds Sierra Wireless Vulnerability to KEV – 12-12-25

Yesterday CISA announced that it had added an unrestricted upload of file with dangerous type vulnerability in the Sierra Wireless AirLink ALEOS product to their Known Exploited Vulnerabilities (KEV) catalog. The vulnerability was reported by Cisco Talos on April 15^th, 2019; the report included proof-of-concept code. Sierra Wireless published their advisory on the vulnerability (along with 12 others) on April 30^th, 2019. CISA published their advisory on the vulnerability (along with six others) on August 20^th, 2019, and most recently updated it on April 23, 2020.

CISA has required that Federal agencies that use the affected products to apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” Those required actions are to be completed January 2^nd, 2026.

Review – CSB Updates Accidental Release Reporting Data – 12-1-25

On Thursday the CSB updated their published list of reported chemical release incidents. They added 58 new incidents that occurred since the previous version was published in July. These are not incidents that the CSB is investigating, these are incidents that were reported to the CSB under their Accidental Release Reporting rules (40 CFR 1604) through November 30^th, 2025.

The table below shows the top five states based upon the number of reported incidents since the July update was published.

 

For more information on the data, including a listing of chemical incidents reported in the news that should have been reported to CSB, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-accidental-release-reporting-313 - subscription required.

Chemical Transportation Incidents – Week of 11-8-25

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

NOTE: PHMSA’s database is not currently allowing online downloads. I was able to request a copy of the week’s data directly from PHMSA. That is the reason for this late posting.

Incidents Summary

• Number of incidents – 486 (453 highway, 31 air, 2 rail, 0 water)

• Serious incidents – 4 (3 Bulk release, 0 evacuation, 1 injury, 0 death, 0 major artery closed, 2 fire/explosion, 30 no release)

• Largest container involved – 33,900-gal DOT 117J100W Railcar {Petroleum Gases, Liquefied or Liquefied Petroleum Gas} Vapor valve cracked open, plug not tool tight.

• Largest amount spilled – 250-gal Plastic IBC {Caustic Alkali Liquids, N.O.S.} Forklift strike.

• Total amount reported spilled in all incidents – 2174.4-gal

NOTE: Links to Form 5800.1 for the described incidents are not currently available online.

Most Interesting Chemical: Hydrofluoric Acid And Sulfuric Acid Mixtures: A clear colorless liquid with a pungent odor. Corrosive to metals and tissue. Exposure to the fumes or brief contact can cause severe burns as mixture penetrates to cause deep-seated ulceration that is sometimes complicated by gangrene. (Source: CameoChemicals.NOAA.gov).

 

Review – Public ICS Disclosures – Week of 12-6-25 – Part 1

This week we have bulk disclosures from FortiGuard (8), There are also 12 additional vendor disclosures from Cisco, Dell, Dassault Systems, Elecom, Endress+Hauser, Hitachi Energy (2), HP, HPE, Moxa, and NI (2).

Bulk Disclosures – FortiGuard

• Insertion of sensitive information into REST API logs,

• Insufficient Session Expiration in SSLVPN,

• Multiple Fortinet Products' FortiCloud SSO Login Authentication Bypass,

• Multiple authenticated OS Command Injections via API,

• OS command injection in GUI backup options,

• OS command injection in multiple endpoints,

• Private key readable by admin, and

• Reflected XSS in HA cluster.

Advisories

Cisco Advisory - Cisco published an advisory that discusses the React Server Components deserialization of untrusted data vulnerability that is listed in CISA’s Known Exploited Vulnerabilities catalog.

Dell Advisory - Dell published an advisory that discusses 30 vulnerabilities. All but three of these are third-party vulnerabilities.

Dassault Advisory - Dassault published an advisory that describes a cross-site scripting vulnerability in their ENOVIA Collaborative Industry Innovator.

Elecom Advisory - JP CERT published an advisory that describes an unquoted search path vulnerability in the Elecom Clone for Windows.

Endress+Hauser Advisory - CERT-VDE published an advisory that discusses an out-of-bounds write vulnerability in multiple Endress+Hauser products.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that discusses a deserialization of untrusted data vulnerability in their Asset Suite product.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that discusses the React Server Component deserialization of untrusted data vulnerability that is listed in CISA’s KEV catalog.

HP Advisory - HP published an advisory that describes a path traversal vulnerability in their  Event Utility and Omen Gaming Hub products.

HPE Advisory - HPE published an advisory that discusses ten vulnerabilities in their ProLiant DL/ML/XD Alletra and Synergy Servers.

Moxa Advisory - Moxa published an advisory that describes two vulnerabilities in their MXsecurity Series products.

NI Advisory #1 - NI published an advisory that describes nine vulnerabilities in their LabVIEW product.

NI Advisory #2 - NI published an advisory that describes a relative path traversal vulnerability in their System Web Server.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-c5d - subscription required.

Chemical Transportation Incidents – Week of 11-8-25

Unfortunately, the download function of the PHMSA HazmatIncident Report Search Portal “has been temporarily disabled”. I have a request in to PHMSA to provide the data that I need to write this blog post, but I have no idea if/when that data will be forthcoming. I expect to publish this post when I can.

Review – Bills Introduced – 12-11-25

Yesterday, with both the House and Senate in Washington, there were 128 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 6630 To direct the Department of Defense to carry out an initiative to understand and address occupational resiliency challenges of the Cyber Mission Force. Elfreth, Sarah [Rep.-D-MD-3]

HR 6631 To require the Secretary of Defense to establish a program for the development of cybersecurity education at academic institutions, and for other purposes. Elfreth, Sarah [Rep.-D-MD-3]

Space Geek Legislation

I would like to mention one bill under my limited Space Geek coverage in this blog:

HR 6638 To require a report on merits and options for establishing an institute relating to space resources, and for other purposes. Foushee, Valerie P. [Rep.-D-NC-4]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-12-11-25 - subscription required.

OMB Approves BIS Bio-Lab Equipment Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a final rule from the DOC’s Bureau of Industry and Security (BIS) on “Control of Laboratory Equipment and Related Technology and Software”. This would be the final action on an interim final rule that was published on January 16^th, 2025. This final rule was sent to OIRA on September 23^rd, 2025.

According to the Spring 2025 Unified Agenda entry for this rulemaking:

“The Bureau of Industry and Security (BIS) is finalizing revisions to an interim final rule published in January 2025 which amended the Export Administration Regulations (EAR) to address the accelerating development and deployment of advanced biotechnology tools contrary to U.S. national security and foreign policy interests.”

I probably will not be covering this final rule in any detail when it is published next week, but I will at least mention it in the appropriate Short Takes post when it is published.

Review – 12 Advisories Published – 12-11-25

Today CISA’s NCCIC-ICS published ten control system security advisories for products from OpenPLC, Siemens (6), AzeoTech, and Johnson Controls (2). They also published two medical device security advisories for products from Varex and Grassroots.

Siemens published an additional eight advisories on Tuesday that were not covered here by CISA. I will address those this weekend.

Advisories

OpenPLC Advisory - This advisory describes a cross-site scripting vulnerability in the OpenPLC_V3.

Gridscale Advisory - This advisory describes two vulnerabilities in the Siemens Gridscale X Prepay energy management product.

Energy Services Advisory - This advisory discusses an authentication bypass using an alternate path or channel vulnerability in the Siemens Energy Services product.

Building X Advisory - This advisory describes an improper verification of cryptographic signature vulnerability in the Siemens Building X - Security Manager Edge Controller.

SINEMA Advisory - This advisory describes two vulnerabilities in the Siemens SINEMA Remote Connect Server.

SALT Advisory - This advisory describes an improper certificate validation vulnerability in the Siemens Advanced Licensing (SALT) Toolkit.

IAM Advisory - This advisory describes an improper certificate validation vulnerability in the Siemens IAM Client.

AzeoTech Advisory - This advisory describes seven vulnerabilities in the AzeoTech DAQFactory.

iSTAR Ultra Advisory - This advisory describes two OS command injection vulnerabilities in the Johnson Controls iSTAR Ultra and iSTAR Edge products.

iSTAR Advisory - This advisory describes two improper neutralization of special elements used in an OS command vulnerability iSTAR Ultra and iSTAR Edge products.

Varex Advisory - This advisory discusses an uncontrolled search path element vulnerability (with publicly available exploit) in their Panoramic Dental Imaging Software.

Grassroots Advisory - This advisory describes an out-of-bounds write vulnerability in the Grassroots DICOM viewer.

NOTE: CISA reports that DICOM viewers from SimpleITK and medInria are also affected by this vulnerability.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/12-advisories-published-12-11-25 - subscription required.

Review – Bills Introduced – 12-10-25

Yesterday, with both the House and Senate in Washington, there were 88 bills introduced. Two of those bills are likely to be covered in this blog:

HR 6584 To amend title 10, United States Code, to strengthen and enhance the Department of Defense cyber workforce, and for other purposes. Neguse, Joe [Rep.-D-CO-2]

HR 6605 To require the Comptroller General of the United States to report on the use of unmanned aircraft systems and on systems developed to counter such unmanned aircraft systems by Federal, State, local, and Tribal agencies. Vasquez, Gabe [Rep.-D-NM-2]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a brief mention in passing of a bill to prohibit speech by foreign adversaries, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-12-10-25 - subscription required.

Short Takes – 12-11-25 – Federal Register Edition

Agency Information Collection Activities: Generic Clearance for the Collection of Qualitative Feedback on Agency Service Delivery, 1601-0014. Federal Register DHS 60-day ICR renewal notice. Summary: “The Agency will collect, analyze, and interpret information gathered through this generic clearance to identify strengths and weaknesses of current services and make improvements in service delivery based on feedback. The solicitation of feedback will target areas such as: timeliness, appropriateness, accuracy of information, courtesy, efficiency of service delivery, and resolution of issues with service delivery. Responses will be assessed to plan and inform efforts to improve or maintain the quality of service offered to the public. If this information is not collected, vital feedback from customers and stakeholders on the Agency's services will be unavailable.” Comments due February 9^th, 2026.

Agency Information Collection Activities; Submission to the Office of Management and Budget (OMB) for Review and Approval; Comment Request; User Needs Survey by the Space Weather Advisory Group. Federal Register, NOAA 60-day ICR renewal notice. Summary: “Members of the SWAG will oversee recruitment of the respondents from several sectors across the Space Weather enterprise including the general public, defined as adults ages 18+. They will be asked questions about their current use of space weather observations, information, and forecasts, technological systems, components or elements affected by space weather, current and future risk and resilience activities, future space weather requirements, and unused or new types of measurements or observations that would enhance space weather risk mitigation. This data collection serves many purposes, including gaining a better understanding of the needs of users of space weather products. The SWAG will use the data to identify the space weather research, observations, forecasting, prediction, and modeling advances required to improve space weather products. Specifically, the information will be used to advise the National Science and Technology Council's Space Weather Operations, Research, and Mitigation (SWORM) Subcommittee on improving the ability of the United States to prepare for, mitigate, respond to, and recover from space weather storms.” Comments due February 9^th, 2026.

Notice of Availability, Notice of Public Comment Period, and Request for Comment on the Draft Programmatic Environmental Assessment for Drone Package Delivery Operations in the United States. Federal Register FAA notice of availability. Summary: “The Federal Aviation Administration (FAA) announces the availability of and requests comments on the draft Programmatic Environmental Assessment (PEA) related to unmanned aircraft systems (UAS) (drone) package delivery operations in the United States.” Comments due January 8^th, 2026.

Protecting Against National Security Threats to the Communications Supply Chain Through the Equipment Authorization Program. Federal Register FCC notice of proposed rulemaking. Summary: “In this document, the Federal Communications Commission (Commission or FCC) aims to further its actions in strengthening prohibitions on authorization of covered equipment and to clarify the rules and enforcement of such. The Commission seeks additional comment on modular transmitters and component parts in relation to covered equipment. The Commission addresses the partial court remand of the decision in its November 2022 EA Security R&O by proposing a definition of “critical infrastructure” as used on the Covered List and seeking comment on the implementation of that definition. The Commission also seeks comment on whether any modification to an authorized device by an entity identified on the Covered List should require a new application for certification. Finally, the Commission seeks comment on clarifying the scope of activities that constitute marketing of equipment and on measures to strengthen enforcement of marketing prohibitions.” Comments due January 5^th, 2026.

EO 14364 - Addressing Security Risks From Price Fixing and Anti-Competitive Behavior in the Food Supply Chain. Federal Register.

Reader Comments – S 1071 Whistleblower

Yesterday I approved publication of four comments to my initial post about S 1071, the FY 2026 National Defense Authorization Act. All four comments come from the psunominous DAVE, who claims to be The Whistleblower about the bill. I am not sure which provisions in the bill DAVE is blowing about, but the comments meet the loose rules that I have for moderating comments; nothing abusive and no naked spam. I have not followed up on any of DAVE’s comments, and my posting of them to the blog does not indicate support for the content or belief in the claims.

Having said all of that…. One of the problems with sausage bills like S 1071 is that with over 3,000 pages of bill that was crafted behind closed doors, and with little time for detailed review, and effectively no public debate, all sorts of interesting tidbits have a tendency to get added to the bill (see for example this article at TheHill.com) to encourage support from key members of Congress. And I am sure that there are more disclosures to come.

The problem is compounded by the fact that Congress is nearly evenly divided and has become so hyperpolitical that it consumes the available time counting political coup (House) and approving fringe political appointees (Senate), that serious law making is for the most part no longer being accomplished. So, when legislative sausage is made, all sorts of odd stuff gets thrown into the grinder.

Perhaps it is time to look at Robert Heinlein’s suggestion for a bicameral legislature made in his book “Moon is a Harsh Mistress”. One of his revolutionaries proposed a legislature where one house passed bills by a supermajority and the other repealed legislation by a simple majority. Obviously that government would be in constant turmoil, but that was the point; that turmoil would limit the capacity for oppression.

S 1437 Passed in Senate – ASCEND Act

On Tuesday the Senate took up S 1437 (link to engrossed version), the Accessing Satellite Capabilities to Enable New Discoveries (ASCEND) Act, that had been introduced by Sen Hickenlooper (D,CO) on April 10^th, 2025. The bill was passed by unanimous consent. A similar bill (HR 2600) was introduced in the House and ordered reported favorably by the House Science, Space, and Technology Committee.

The bill amends 51 USC by adding §60307. It would require NASA to “‘Commercial Satellite Data Acquisition Program’, to cost-effectively acquire and disseminate commercial Earth observation data and imagery in order to complement the scientific, operational, and educational requirements of the Administration, and where appropriate, of other Federal agencies and scientific researchers.” No new funding is authorized by the legislation.

S 1071 Passed in House – FY 2026 NDAA

This afternoon the House took up S 1071, the vehicle for the FY 2026 National Defense Authorization Act. After a little more than an hour of debate, and a motion to recommit (which failed), the House voted 312 to 112 to pass the amended bill. There was a bit of political theatrics earlier in the day when H Res 936, the rule for the consideration of S 1071 (and five other bills) was being considered. The vote was kept open for an hour and 22 minutes, while the Republican leadership twisted arm to get five Republicans to change their Nays to Yeas, passing the Resolution by a vote of 215 to 211.

The bill now goes back to the Senate where there should be sufficient votes to pass the bill once it comes to a vote. There will be roadblocks, snags, and delays, but the bill will eventually pass.

Review – S 1071 and Cybersecurity – FY 2026 NDAA

Yesterday the House Rules Committee completed the Rule that includes the consideration of S 1071, the FY 2026 National Defense Authorization Act (NDAA). The resolution approving that rule will be voted on today, and the bill will probably be considered on Thursday. The 3,083-page text of the bill contains 367 separate mentions of the word ‘cyber’, a few too many to do a reasonable assessment here. The picture is better for the term ‘cybersecurity’, there are only 86 mentions, but still too many for a short form analysis like this.

A more reasonable way to look at cybersecurity in a bill of this size is to look at the individual sections that deal with cybersecurity issues. That is much easier, as there are just eight such sections:

§ 866. Cybersecurity regulatory harmonization.

§ 1067. Cybersecurity and resilience annex in Strategic Rail Corridor Network assessments.

§ 1511. Secure mobile phones for senior officials and personnel performing sensitive functions.

§ 1512. Artificial intelligence and machine learning security in the Department of Defense.

§ 1513. Physical and cybersecurity procurement requirements for artificial intelligence systems.

§ 1514. Collaborative cybersecurity educational program.

§ 1515. Incorporation of artificial intelligence considerations into cybersecurity training.

§ 8339. Supporting cybersecurity and cyber resilience in the Western Balkans. (State Dept)

The five § 15XX sections are all within TITLE XV, Cyberspace-Related Matters. These deal with almost entirely military matters, and three of them specifically deal with artificial intelligence issues related to cybersecurity which I currently consider beyond the scope of this blog. I am also going to ignore the section dealing with secure telephones, with the caveat that anyone that uses a cell phone should peruse the section, just to see what types of things that security folks worry about with these ubiquitous devices. Finally, the State Department requirement to support cybersecurity in the Western Balkans is of little specific interest here. So that leaves three sections of potential interest here.

 

For more information on the cybersecurity provisions in this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-1071-and-cybersecurity-fy-2026 - subscription required.

Review – Bills Introduced – 12-9-25

Yesterday, with both the House and Senate in Washington, there were 77 bills introduced. Two of those bills may receive additional coverage in this blog:

HR 6507 To amend the Homeland Security Act of 2002 and certain other laws relating to certain preparedness, transit, and port security grant programs to improve oversight, transparency, and stakeholder engagement in the administration of such grant programs, and for other purposes. Kennedy, Timothy M. [Rep.-D-NY-26]

HR 6530 To require the Chief Information Officer of the Department of Defense to include training on artificial intelligence cybersecurity issues for members of the Armed Forces and civilian employees of the Department of Defense, and for other purposes. Larsen, Rick [Rep.-D-WA-2] 

Space Geek

I would like to mention one bill under my limited Space Geek coverage in this blog:

S 3404 A bill to require a report on Federal support to the cybersecurity of commercial satellite systems, and for other purposes. Peters, Gary C. [Sen.-D-MI]

For more information on these bills, including legislative history for similar bills in the 118^th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-12-9-25 - subscription required.

CSB Announces Their Latest Safety Video – 12-9-25

Yesterday the Chemical Safety Board announced the availability of their latest chemical incident safety video: “Low Pressure, Fatal Consequence: Explosion at Yenkin-Majestic”. This video looks at the April 8^th, 2021 low-pressure (less than the 15-psig minimum pressure limit for ‘high pressure’ operations standard) flammable-vapor release and explosion incident at the Yenkin-Majestic Paint Corporation facility in Columbus, Ohio. That incident resulted in the death of one employee and injuries to eight others.

While this video reviews the series of events that led to this specific incident, it makes the point that similar problems that led to this incident may exist at other facilities that handle flammable chemicals in vessels designed for low-pressure operations. It emphasizes that the recommendations made to the facility operator in this incident are applicable to many chemical operators.

Review – 3 Advisories Published – 12-9-25

Today CISA’s NCCIC-ICS published three control system security advisories for products from India-Based CCTV vendors, Festo, and U-BOOT.

Advisories

D-Link Advisory - This advisory describes a missing authentication for critical function vulnerability in the D-Link (India-Limited) DCS-F5614-L1 CCTV (not sold in US).

Festo Advisory - This advisory discusses a cross-site scripting vulnerability (with publicly available exploit) in the Festo LX Appliance.

U-BOOT Advisory - This advisory describes an improper access control for volatile memory containing boot code vulnerability in the U-BOOT bootloader (the advisory lists affected Qualcomm chips).

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-published-12-9-25 - subscription required.

OMB Approves Initial TraCSS ICR

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a new information collection request (ICR) from the DOC’s National Oceanic and Atmospheric Administration (NOAA) for “Traffic Coordination System for Space (TraCSS)”. The 60-day ICR notice was published on April 28^th, 2025, and the 30-day ICR notice was published on July 25^th, 2025. This collection will support the registration process for the new U.S. civil space situational awareness (SSA) system, the Traffic Coordination System for Space (TraCSS).

The table below shows the initial burden estimate for this ICR.

Initial Burden Data	12-8-25
Responses	24,623
Burden (hrs)	6,289

According to the Abstract provided in the Supporting Document submitted to OIRA:

“Users of the system - specifically, spacecraft owners/operators and national governments, are asked to provide information when they register for the system. This information includes organizational information and information about the spacecraft affiliated with the organization. This information is necessary to ensure that entities receive the appropriate safety services and information relevant to their spacecraft. Information provided about supported spacecraft can also help to improve the accuracy and overall quality of services. Spacecraft operators are also asked to provide information on an ongoing basis, including spacecraft ephemerides and maneuver plans, to improve the accuracy and overall quality of services.”

OMB Approves CEQ Guidance on NEPA and Emergencies

Yesterday the OMB’ Office of Information and Regulatory Affairs (OIRA) announced that it had approved a guidance document from the Council on Environmental Quality (CEQ) on “Guidance on Emergencies and the National Environmental Policy Act”. The document was sent to OIRA on May 8^th, 2025.

Guidance documents are not typically described in the Unified Agenda, but would appear to address a memorandum from Brenda Mallory, the previous CEQ Chair, that was published on December 18^th, 2024: “Emergencies and the National Environmental Policy Act Guidance”. That memo provided guidance on how agencies should include environmental stewardship activities in their responses to emergencies “involving immediate threats to human health or safety, or immediate threats to valuable natural resources” that do not allow time to complete the steps outlined in the National Environmental Protection Act regulations. 

I do not expect to cover this guidance document in any detail in this blog, but its publication will almost certainly be noted in the appropriate Short Takes post.

Short Takes – 12-8-25 – Space Geek Edition

Beyond the horizon: cost-driven strategies for space-based data centers. SpaceNews.com commentary. Pull quote: “Orbital data centers are not just technically feasible, they’re economically executable. But only if we treat autonomy as a cost-saving necessity, not a luxury. Only if we embed strategic procurement models into mission design. And only if we let sourcing strategy guide the way.”

Russia is out of the human spaceflight business — for now. TheHill.com commentary. Pull quote: “Add to that the economic sanctions that the West has imposed on Russia to punish it for its aggression, the betting is that the country that once astonished the world with the first satellite and the first man in space is out of the human spaceflight business for the foreseeable future.” Includes interesting discussion of current sole source manned spaceflight and need for other actors involvement.

China faces temporary emergency launch gap after space station lifeboat crisis. SpaceNews.com article. Pull quote: “A recent report by state media China Central Television (CCTV) on the Shenzhou-20 incident reveals that the Shenzhou-23 spacecraft was initially planned to be completed in March 2026, for delivery to Jiuquan to provide a backup to Shenzhou-22, which was originally expected to launch around May.”

Giant sunspot on par with the one that birthed the Carrington Event has appeared on the sun — and it's pointed right at Earth. LiveScience.com article. Pull quote: “The Carrington Event unleashed an estimated X45 magnitude solar flare in 1859, which remains a record, although there is geological evidence that even more powerful blasts occurred long before humans emerged. For context, an X45 flare is more than five times stronger than the most powerful solar flare of the last decade — an X7 blast in October 2024.”

Mobile networks want to use the satellite airwaves we need to track climate change. SpaceNews.com commentary. Pull quote: “Whatever happens, the dispute itself represents a hinge moment. Spectrum has become a commodity: something industries are willing to fight over, something governments are tempted to monetize, something investors are prepared to spend eye-watering sums to secure. As competition heats up, the public-interest functions of spectrum risk being crowded out by private concerns. Earth monitoring is a vital public good that risks being set aside so that — to be vulgar — a handful of massive companies can make more money. No doubt in doing so they will be benefitting their customers.”

Mars Sample That May Contain Evidence of Life Might Never Come Home. ScientificAmerican.com article. Pull quote: “The sample tubes packed inside the rover can last up to half a century. If MSR is canceled or postponed again, Perseverance could drop them somewhere on the surface in the hope that some future mission—perhaps even a human expedition—collects them. Or maybe another country, such as China, might decide to grab them. “Why not?” says Jim Green, former NASA chief scientist and director of NASA’s Planetary Science Division from 2006 to 2018. “There’s nothing on [the tubes] that says ‘Property of the United States.’””

Moonshot Space Raises $12M for Electromagnetic Launch. PayLoadSpace.com article. Pull quote: “Moonshot’s idea is not to compete with chemical-based rocket launchers by attempting to send high-tech satellites to orbit. Instead, Moonshot wants to use the technology to send raw materials that can withstand the shock of high-acceleration launch, and lower the input costs of the budding in-space servicing, refueling, and manufacturing industries.”

Cosmonaut removed from SpaceX's Crew 12 mission for violating national security rules: report. Space.com article. Pull quote: “The Insider also cited a Sunday (Dec. 1) report by a Russian-spaceflight channel on Telegram called "Yura, Forgive Me!" According to that report, the violations occurred last week, when Artemyev was training at SpaceX's headquarters in Hawthorne, California. He allegedly photographed SpaceX engines and other sensitive tech with his phone.”

Backlog List

• What is the chance your plane will be hit by space debris?

• Redwire lands $44 million DARPA award to build air-breathing satellite,

• Katalyst selects Pegasus to launch Swift reboost mission,

• Kymeta and iRocket working on multi-orbit Golden Dome interceptor connectivity,

• NASA to fly only cargo on next Starliner mission under modified contract, and

• China’s Shijian spacecraft separate after pioneering geosynchronous orbit refueling tests.

Review – Committee Hearings – Week of 12-7-25

With both the House and Senate in Washington this week, there is a relatively light hearing schedule. The House Rules Committee will meet to formulate the rule for the consideration of S 1071, the vehicle for the FY 2026 National Defense Authorization Act. The Senate will see a committee vote on the NASA Administrator nomination. And there will be a House hearing on threats to the Homeland. In addition to the floor consideration of S 1071, there will be two other bills of tangential interest here that will be considered in the House.

Nomination Votes

Today the Senate Commerce, Science and Transportation Committee will hold a business meeting to vote on eight separate nominations. Three nominations are of potential interest here:

• Jared Isaacman, to be Administrator of the National Aeronautics and Space Administration

• Richard Kloster, to be a Member of the Surface Transportation Board

• Adm. Kevin E. Lunday, to be Commandant of the United States Coast Guard

Threats to the Homeland

On Thursday, the House Homeland Security Committee will hold a hearing on “Worldwide Threats to the Homeland”.

On the Floor

S 1071 has not yet made it to the House weekly schedule, but it will almost certainly come to the floor this week. Two other bills of potential interest here (though not specifically covered in this blog) are scheduled to be considered under a rule this week:

 

HR 3638 – Electric Supply Chain Act, and

HR 3668 – Improving Interagency Coordination for Pipeline Reviews Act

 

For more information on these hearings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/committee-hearings-week-of-12-7-25 - subscription required.

Conference Committee Finishes Final Version of FY 2026 NDAA – S 1071

Yesterday the House Rules Committee updated their meeting notice for their Tuesday meeting to include S 1071 as the vehicle for the final version of FY 2026 National Defense Authorization Act. The Rules Committee web site provides the text of the new NDAA. The Committee will meet tomorrow to formulate the rule for the consideration of the bill. I would expect it to be a closed rule, with limited debate, no further amendments, and a simple majority vote requirement. There should be significant bipartisan support for the bill.

Originally, S 1071 passed in the Senate as “A bill to require the Secretary of Veterans Affairs to disinter the remains of Fernando V. Cota from Fort Sam Houston National Cemetery, Texas, and for other purposes”. According to a press release from Sen Cruz’ office, Cota was a convicted rapist that was interred in the Fort Sam Houston National Cemetery. The text from the Senate passed bill has been included in the final conference version of the bill as §8806.

The bill now includes:

DIVISION E—Department of State Authorization Act for Fiscal Year 2026,

DIVISION F – Intelligence Authorization Act for Fiscal Year 2026,

DIVISION G – Coast Guard Authorization Act of 2025, and

TITLE LXXXVI – Securing the airspace, facilitating emergency response, and safeguarding key infrastructure, entertainment venues, and stadiums.

I will have more details in subsequent posts.