Short Takes – 11-30-25 – Space Geek Edition

Varda Space launches its fifth mission, extends run of AFRL test flights. SpaceNews.com article. Pull quote: “AFRL awarded Varda a multi-year Indefinite Delivery, Indefinite Quantity contract that secures access to reentry flights through at least 2028. Under the IDIQ, AFRL can task Varda with flying experimental payloads, collecting reentry data and returning hardware for analysis, effectively treating the commercial capsules as a repeatable hypersonic test range.Commercial reentry vehicles like Varda’s offer a way to increase test cadence without major infrastructure investments.”

Before a Soyuz launch Thursday someone forgot to secure a 20-ton service platform. ArsTechnica.com article. Pull quote: “The at least temporary loss of Site 31 will only place further pressure on SpaceX. The company currently flies NASA’s only operational crewed vehicle capable of reaching the space station, and the space agency recently announced that Boeing’s Starliner vehicle needs to fly an uncrewed mission before potentially carrying crew again. Moreover, due to rocket issues, SpaceX’s Falcon 9 vehicle is the only rocket currently available to launch both Dragon and Cygnus supply missions to the space station. For a time, SpaceX may also now be called upon to backstop Russia as well.”

Northrop Grumman selected to provide cargo services for final phase of ISS. SpaceNews.com article. Pull quote: “That constraint does not affect Northrop Grumman’s Cygnus, which is grappled by the station’s robotic arm and attached to one of two separate berthing ports. “NG is the only CRS-2 provider currently capable of attaching to the ISS via a berthing port, which means NG is the only responsible source that can provide resupply services after the USDV [US deorbit vehicle] arrives and docks to the ISS,” NASA stated in a justification document.”

Space Force awards first prototype deals for space-based interceptors under Golden Dome. SpaceNews.com article. Pull quote: “According to his calculations, intercepting even one missile [in boost phase] reliably might require about 950 orbiting interceptors. If an adversary fires 10 missiles, the constellation might need to grow to 9,500 interceptors. The scaling cost, he said, could make the architecture impractical.”

China launches an emergency lifeboat to bring three astronauts back to Earth. ArsTechnica.com article. Pull quote: “While this crew is just one month into their planned six-month expedition, an emergency could force them to leave the station and return home at any time. Although remote, another collision with space junk, a major systems failure, or a medical emergency involving one of the astronauts could trigger an evacuation. That’s why Chinese officials wanted to quickly launch Shenzhou 22 to give the crew a ticket home.The International Space Station follows the same policy, with SpaceX’s Dragon spacecraft and Russian Soyuz ships serving as lifeboats until their crews’ scheduled return to Earth.”

Shenzhou-22 docks at Tiangong space station, resolving human spaceflight emergency. SpaceNews.com article. Pull quote: “The [new] spacecraft incorporates updates including an improved human–machine interface, a miniaturized instrument panel, an optimized return-capsule layout, and increased down-mass capability. It also carries a device described as being able to treat the cracks in Shenzhou-20’s port window. The Shenzhou-20 spacecraft will remain in orbit to conduct relevant experiments,” CMSEO stated.”

Oman brings GEO orders level with 2024 as larger spacecraft regain traction. Pull quote: “Financial details were not disclosed. The contract includes a knowledge-sharing partnership as Oman joins other Middle Eastern nations pursuing greater space sovereignty and a more diversified economy in anticipation of a post-oil future.”

BlackSky announces latest Gen-3 satellite in orbit after confidential Electron launch. SpaceNews.com article. Pull quote: “The company announced Nov. 25 that its newest Gen-3 satellite produced its first high-resolution imagery less than 24 hours after its launch this month. The spacecraft is the third Gen-3 satellite in orbit, capable of producing images at a resolution of 35 centimeters and offering advanced features such as infrared imaging and intersatellite links.”

Backlog List:

• New 'nearly interstellar' comet — wrongly linked to 3I/ATLAS — will reach its closest point to Earth on Tuesday (Nov. 11),

• European companies to fly commercial microgravity mission in 2026,

• Ground truth: Why the lunar program needs its Earthbound network,

• Dream Chaser completes key tests ahead of first flight,

• The fallacy of being first — let’s be enduring instead, and

• OHB raises concerns about planned European space joint venture.

Review – Public ICS Disclosures – Week of 11-22-25 – Part 2

For Part 2 we have three additional vendor disclosures from ABB, and Wibu (2). There are also six vendor updates from ABB, FortiGuard (2), and Mitsubishi (3). Finally, we have five exploits for products from Broadcom, FortiGuard (2), HP, and Ruckus.

Advisories

ABB Advisory - ABB published an advisory that discusses 22 vulnerabilities in their Ability Camera Connect product.

Wibu Advisory #1 - Wibu published an advisory that describes a write-what-where condition vulnerability in their legacy WibuKey product.

Wibu Advisory #2 - Wibu published an advisory that describes an improper restriction of operations within the bounds of a memory buffer vulnerability in their legacy WibuKey product.

Updates

ABB Update - ABB published an update for their Terra AC wallbox advisory that was originally published on September 16^th, 2025, and most recently updated on October 27^th, 2025.

FortiGuard Update #1 - FortiGuard published an update for their CAPWAP daemon advisory that was originally published on November 18^th, 2025.

FortiGuard Update #2 - FortiGuard published an update for their CAPWAP daemon advisory that was originally published on November 18^th, 2025.

Mitsubishi Update #1 - Mitsubishi published an update for their Lighting Control System MILCO.S advisory that was originally published on November 18^th, 2025.

Mitsubishi Update #2 - Mitsubishi published an update for their Flexera InstallShield advisory that was originally published on July 24^th, 2025.

Exploits

Broadcom Exploit - Indoushka published an exploit for two vulnerabilities in the Broadcom Brocade Fabric OS.

FortiGuard Exploit #1 - Indoushka published an exploit for a relative path traversal vulnerability in the FortiGuard FortiWeb product.

FortiGuard Exploit #1 - Sfewer-r7 published a Metasploit module for two vulnerabilities in the FortiGuard FortiWeb product.

HP Exploit - Indoushka published an exploit for an improper authentication vulnerability in the HP Intelligent Management product.

Ruckus Exploit - Huthaifa Qashou published an exploit for a cross-site scripting vulnerability in the Ruckus Unleashed product.

 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-f10 - subscription required.

Review - Bills Introduced – 11-28-25

With both the House and Senate meeting in pro forma session, there were 13 bills introduced. One of those bills may receive additional coverage in this blog:

HR 6326 To accelerate accreditation and access to sensitive compartmented information facilities for industry, and for other purposes. Ryan, Patrick [Rep.-D-NY-18]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a brief mention of a tariff price gouging bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-11-28-25 - subscription required.

Review – Public ICS Disclosures – Week of 11-22-25 – Part 1

This week is a moderately busy disclosure week. For Part 1 we have 13 vendor disclosures from Carrier (3), Dassault Systems (2), Eaton, Hitachi, Janitza, Mitsubishi, Moxa (3), and Splunk.

Advisories

Carrier Advisory #1 - Carrier published an advisory that describes two vulnerabilities in the multiple Carrier and Automated Logic products.

Carrier Advisory #2 - Carrier published an advisory that describes an improper validation of array index vulnerability in multiple Carrier and Automated Logic products.

Carrier Advisory #3 - Carrier published an advisory that describes an improper input validation vulnerability in Carrier and Automated Logic Zone Controllers.

Dassault Advisory #1 - Dassault published an advisory that describes a cross-site scripting vulnerability in their ENOVIA Product Manager.

Dassault Advisory #2 - Dassault published an advisory that that describes a cross-site scripting vulnerability in their DELMIA Service Process Engineer product.

Eaton Advisory - Eaton published an advisory that describes a path traversal vulnerability in their Galileo Software.

Hitachi Advisory - Hitachi published an advisory that discusses three vulnerabilities in multiple Hitachi products.

Janitza Advisory - CERT-VDE published an advisory that describes an improper validation of specified type of input vulnerability in the Janitza UMG 96-PA and UMG 96-PA-MID products.

Mitsubishi Advisory - Mitsubishi published an advisory that describes a cleartext storage of sensitive information vulnerability in their GX Works2 product.

Moxa Advisory #1 - Moxa published an advisory that describes a clickjacking vulnerability in their ioLogik E1200 Series and E 2200 series products.

Moxa Advisory #2 - Moxa published an advisory that describes a password autocompletion vulnerability in their ioLogik E1200 Series and E 2200 series products.

Moxa Advisory #3 - Moxa published an advisory that describes a cleartext transmission of sensitive information vulnerability in their ioLogik E1200 Series and E 2200 series products.

Splunk Advisory #1 - Splunk published an advisory that describes an insertion of sensitive information into a log file vulnerability in their Add-On for Palo Alto Networks.

Splunk Advisory #2 - Splunk published an advisory that discusses three vulnerabilities (one with publicly available exploits) in their SOAR product.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-485 - subscription required.

CISA Adds OpenPLC-ScadaBR Vulnerability to KEV Catalog – 11-28-25

Today CISA announced that they had added a cross-site scripting vulnerability in the “OpenPLC ScadaBR” product. ScadaBR reported the vulnerability in June of 2021 (no mention of OpenPLC). On March 2st, 2021, Fellipe Oliveira published two exploits (for Windows, for Linux) for the vulnerability. On October 9^th of this year, Forescout’s Vedere Labs published a report about a ‘Russian aligned group’ used this vulnerability to exploit access to a honeypot (that they thought was a public water system) that had been gained via default authentication.

According to the ScadaBR web site (Google translation from Portugese) in the response to the initial report of this vulnerability by h3v0x (apparently Fellipe Oliveira):

“Here in Brazil, ScadaBR was discontinued by the developers; the last version was 1.1. ScadaBR is being continued, but not by Brazilian developers. The project has 20 contributors worldwide and is now called ScadaLTS.”

There are currently no security advisories for ScadaLTS, so maybe the vulnerability does not affect that version of the product.

CISA has directed federal agencies that are operating the affected ‘OpenPLC – ScadaBR’ product to apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” A deadline of December 19^th, 2025 has been set for compliance.

Short Takes – 11-28-25 – Federal Register Edition

Agency Information Collection Activities: 1670-0048: SAFECOM Nationwide Surveys Generic Clearance. Federal Register DHS 30-day ICR notice. Purpose: “To perform these statutory obligations [link added], CISA seeks renewal of its PRA Generic Clearance to maintain flexibility in implementing surveys that are relevant to the current emergency communications environment. To meet the statutory requirements of 6 U.S.C. 573, ECD conducts the SAFECOM Nationwide Survey (SNS) to assess evolving capability needs and gaps and track progress against policy initiatives, status of strategic plans, and major industry or market shifts affecting the emergency communications capability.” Comments due Decemver 29^th, 2025.

Pipeline Safety: Information Collection Activities. Federal Register PHMSA PSR 30-day ICR notices. 12 separate ICRs included. Comments due: December 29^th, 2025.

1.       Excess Flow Valves—New Customer Notifications - OMB Control Number: 2137-0631,

2.       Natural Gas Distribution Infrastructure Safety and Modernization Grant Program - OMB Control Number: 2137-0641,

3.       Reporting Safety-Related Conditions on Gas, Hazardous Liquid, and Carbon Dioxide Pipelines and Liquefied Natural Gas Facilities, OMB Control Number: 2137-0578,

4.       National Pipeline Mapping Program, OMB Control Number: 2137-0596,

5.       Hazardous Liquid Pipeline Operator Annual Reports, OMB Control Number: 2137-0614,

6.       Hazardous Liquid Operator Notifications, OMB Control Number: 2137-0630,

7.       Notification Requirements for Gas Transmission Pipelines, OMB Control Number: 2137-0636,

8.       Transportation of Hazardous Liquids by Pipeline: Record keeping and Accident Reporting, OMB Control Number: 2137-0047,

9.       Record keeping Requirements for Gas Pipeline Operators, OMB Control Number: 2137-0049,

10.   Annual Report for Gas Distribution Operators, OMB Control Number: 2137-0629,

11.   Incident Reports for Natural Gas Pipeline Operators, OMB Control Number: 2137-0635, and

12.   Annual and Incident Reports for Gas Pipeline Operators, OMB Control Number: 2137-0522.

Notice of Funding Availability for Credit Assistance Under the Water Infrastructure Finance and Innovation Act (WIFIA) Program. Federal Register EPA notice of funding availability – Summary: “The purpose of this notice of funding availability (NOFA) is to solicit letters of interest (LOIs) from prospective borrowers seeking credit assistance from the U.S. Environmental Protection Agency (EPA) under the Water Infrastructure Finance and Innovation Act (WIFIA) program. EPA estimates that it may lend approximately $6.5 billion to help finance $13 billion in water infrastructure investment.” Includes support for cybersecurity measures with the Drinking Water State Revolving Fund.

EO 14363 - Launching the Genesis Mission – Federal Register.

Transportation Chemical Incidents – Week of 10-25-25

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 544 (510 highway, 29 air, 5 rail, 0 water)

• Serious incidents – 2 (2 Bulk release, 0 evacuation, 2 injury, 0 death, 0 major artery closed, 1 fire/explosion, 33 no release)

• Largest container involved – 30,420-gal DOT 113C120W9 Railcar {Ethylene, Refrigerated Liquid (Cryogenic Liquid)} The tank car was at 76 psi and intermittingly venting.

• Largest amount spilled – 800-gal DOT 406 Trailer {Gasoline Includes Gasoline Mixed With Ethyl Alcohol, With Not More Than 10% Alcohol.} Driver attempted to adjust truck position while still hooked up to tank.

• Total amount reported spilled in all incidents – 2063.2-gal

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Barium Selenate: No data available in Cameo (Source: CameoChemicals.NOAA.gov). This is the first time that I have seen a listing on Cameo that had nothing beyond the generic ERG guide {#151 – Toxic (Non-Combustible)} information; no description and no physical data.

 

Section 2209 Fixed Site Drone Exclusion Rulemaking Delay

Back in May the DOT’s Federal Aviation Administration (FAA) sent a notice of proposed rulemaking to the OMB’s Office of Information and Regulatory Affairs (OIRA) on “Designation - Restrict the Operation of an Unmanned Aircraft in Close Proximity to a Fixed Site Facility”. This rulemaking was mandated by §2209 of the FAA Extension, Safety and Security Act (PL 114-190, 130 STAT. 634), and was supposed to have been completed by January 11^th, 2017. Then in June, the President issued EO 14305, Restoring American Airspace Sovereignty, reiterating the Administration’s intent to quickly implement this legislative mandate. So, why has this NPRM not yet been approved by OIRA?

Generally speaking, OIRA has 90-days {§6(b)(2)(B) EO 12866} to ‘approve’ a rulemaking, though that can be extended for 30-days. Or the Administrator can send the rulemaking back to the submitting agency for “for further consideration of some or all of its provisions” {§6(b)(3)}. There is no requirement to notify the public of such ‘further consideration’ actions.

As part of its review process, OIRA may receive input from the public via meetings with OIRA that include representatives of the submitting agency. This input process is also governed by EO 12866 {§6(b)(4)}. A public listing of meetings governed by this process is maintained by OIRA and is available online as part of the Unified Agenda listing for each rulemaking. The record for the §2209 rulemaking can be found here.

There are a total of 19 EO 12866 meetings listed for this rulemaking, three before the rulemaking was submitted to OIRA by the FAA, 15 within 35 days of that submission, and one in September. OIRA did not accept any EO 12866 during the funding fiasco. While the details of these discussions are not available, a look at the names of the parties involved makes it clear that (not surprisingly) most of the meetings were requested to discuss concerns about the scope of the rulemaking.

With a variety of drone delivery services being participants in a significant number of the meetings, I would expect that their concerns would deal with scope of the area covered by the drone exclusion zone for the critical infrastructure. If that zone were to extend beyond the boundaries of the requesting critical infrastructure facility, it could restrict deliveries to some customers of those services. Questions could also have been raised about UAV deliveries to the facilities requesting the exclusion zone. Overly large exclusion zones could also impact route selection and thus the cost of deliveries made by those services.

Drone manufacturers and user groups were also well represented at these meetings. Both groups would be expected to have concerns about how these exclusion zones would be communicated to the public, how operators would be expected to be aware of those zones, and where their vehicles were in relation to those zones. Would there be requirements for geofencing, for example, and if there were such requirements, how would they affect UAVs already in service. Finally, how would the size of the vehicle affect the application of the rulemaking; would micro-drones, for example, be affected.

If any of these concerns were not appropriately addressed in the proposed rule, the FAA may have had to make changes to the regulatory requirements in the rule, or changes to the discussions in the preamble that would clarify the intent of the agency. All of these could further slow the publication of the notice of proposed rulemaking.

Short Takes – 11-26-25 – Federal Register Edition

Internal Governance. Federal Register CSB final rule. Summary: “The U.S. Chemical Safety and Hazard Investigation Board (“CSB”) is amending regulations relating to its CSB's internal organization, management, and operations. These amendments make grammatical and stylistic updates to current CSB internal regulations in order to improve their function and better reflect the CSB's mission. The amendments also clarify procedures involving quorum and public meetings. Finally, the amendments update the current address of the CSB.” Effective date: January 26^th, 2026.

Notice of Request for Information; Accelerating the American Scientific Enterprise. Federal Register OSTP request for information. Summary: “The Office of Science and Technology Policy (OSTP) requests input from all interested parties on Federal policy updates that aim to accelerate the American scientific enterprise, enable groundbreaking discoveries, and ensure that scientific progress and technological innovation benefit all Americans. Through this Request for Information (RFI), OSTP seeks input from academia; private sector organizations; industry groups; state, local, and tribal governments; and other stakeholders regarding priorities for strengthening the science and technology (S&T) ecosystem to support both the expansion of scientific knowledge and the mechanisms to transition these discoveries into the marketplace. This RFI will inform the formulation of Executive branch efforts to advance and maintain U.S. S&T leadership.”

Revision of Agency Information Collection Activity Under OMB Review: Department of Homeland Security Traveler Redress Inquiry Program (DHS TRIP). Federal Register TSA 30-day ICR renewal notice. Abstract: “DHS TRIP is a single point of contact for individuals who have inquiries or seek resolution regarding difficulties they have experienced during their travel screening. TSA manages the DHS TRIP office on behalf of DHS. The collection of information includes: (1) a Traveler Inquiry Form, which includes the individual's identifying and travel experience information; and (2) two optional, anonymous customer satisfaction surveys to allow the public to provide DHS feedback on its experience using DHS TRIP.”

EO 14361 - Regulatory Relief for Certain Stationary Sources To Promote American Coke Oven Processing Security. Federal Register.

OMB Approves PHMSA Drone HAZMAT Delivery ANPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an advanced notice of proposed rulemaking (ANPRM) from the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) on “Hazardous Materials: Modernizing Regulations to Facilitate Transportation of Hazmat Using Autonomous Systems”. This news comes just a week after the DOT’s Federal Aviation Administration (FAA) published their guidance document on “Hazardous Materials: Modernizing Regulations to Facilitate Transportation of Hazmat Using Autonomous Systems”.

According to the Spring 2025 Unified Agenda entry for this PHMSA rulemaking:

“In this rulemaking, PHMSA would amend the Hazardous Materials Regulations (HMR) to address the role of autonomous transportation systems (e.g., drones, etc.) in the transportation of hazardous materials. The rulemaking will consider necessary clarifications to the HMR regarding handling, transportation, and hazard communication unique to the movement of hazardous materials by autonomous transport systems. PHMSA would coordinate closely with its modal partners within the Federal Aviation Administration, Federal Motor Carrier Safety Administration, Federal Railroad Administration, and U.S. Coast Guard to ensure a comprehensive approach that allows for the seamless movement of goods across multiple modes of transport while allowing for the specific needs of each mode to be safely addressed.”

I expect that this ANPRM will be published in the Federal Register after the Thanksgiving holiday.

Review - Bills Introduced – 11-25-25

Yesterday with both the House and Senate meeting in pro forma sessions, there were 33 bills introduced. Two of those bills will receive additional coverage in this blog:

HR 6309 To impose sanctions with respect to designated critical cyber threat actors, and for other purposes. Pfluger, August [Rep.-R-TX-11]

HR 6315 To amend the Help America Vote Act of 2002 to require the Election Assistance Commission to provide for the conduct of penetration testing as part of the testing and certification of voting systems and to provide for the establishment of an Independent Security Testing and Coordinated Vulnerability Disclosure Pilot Program for Election Systems. Valadao, David G. [Rep.-R-CA-22] 

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention in passing of an AI leadership bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-11-25-25 - subscription required.

Review – 6 Advisories and 1 Update Published – 11-25-25

Today CISA’s NCCIC-ICS published five control system security advisories for products from SiRcom, Festo, Opto 22, Zenitel, Rockwell, and Ashlar-Vellum. They also updated an advisory for products from Mitsubishi.

Advisories

SiRcom Advisory - This advisory describes a missing authentication for critical function vulnerability in the SiRcom SMART Alert (SiSA) central control system.

Festo Advisory - This advisory discusses two vulnerabilities in the multiple Festo product lines.

NOTE: I briefly discussed these vulnerabilities on December 3^rd, 2022.

Opto 22 Advisory - This advisory describes an exposure of sensitive data through meta data vulnerability in the Opto 22 groov View product line.

Zenitel Advisory - This advisory describes five vulnerabilities in the Zenitel TCIV-3+ IP video intercom.

Rockwell Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Rockwell Arena Simulation product.

NOTE: I briefly discussed this vulnerability on November 16^th, 2025.

Ashlar-Vellum Advisory - This advisory describes two vulnerabilities in multiple Ashlar-Vellum products.

Updates

Mitsubishi Update - This update provides additional information on the FA Engineering Software advisory that was originally published on December 5^th, 2022, and most recently updated on June 29^th, 2023.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-and-1-update-published-b5e - subscription required.

Review – S 2431 Introduced – FY 2026 IER Spending

Back in July Sen Murkowski (R,AK) introduced S 2431, the Department of the Interior, Environment, and Related Agencies Appropriations Act, 2026. At the same time the Senate Appropriations Committee published their Report for the bill. The bill includes one cybersecurity mention and there were two related discussions in the Report. The Chemical Safety Board (CSB) was funded. There were seven additional chemical related discussions in the Report, including spending allocations and earmarks.

S 2431 is similar to S 4802, the Department of the Interior, Environment, and Related Agencies Appropriations Act, 2025, that was introduced by Sen Merkley in July 2024. No action was taken on that bill in the 118th Congress. HR 8988, the closely related House bill was passed in the House by a vote of 210 to 205, but no action was taken on the bill in the Senate.

Moving Forward

The plan in the House currently appears to be to add the language of S 2431 to the substitute language for the consideration of HR 4016, the Department of Defense Appropriations Act, 2026. The Senate has not yet held their first cloture vote that would allow actual debate to begin on the bill. This probably indicates that there is still some backroom dealing going on to determine the broad outline of what will end up in the Senate version of the bill. Then further dealing with determine what further amendments will be considered on the floor.

Right now, SA 3951 from Sen Collins (Chair of the Appropriations Committee) is the current candidate for the substitute language to be considered, and it includes the language from S 2431. But a lot can happen in the short legislative month of December.

 

For more information on the cyber and UAS provisions of this bill, including cyber earmarks, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2431-introduced-fy-2026-ier-spending - subscription required.

Short Takes – 11-25-25 – Federal Register Edition

Sunshine Act Meetings. Federal Register CSB meeting notice – Summary: “The meetings are free and open to the public. These meetings will only be available via ZOOM. Close captions (CC) will be provided. At the close of each meeting, there will be an opportunity for public comment. To submit public comments for the record please email the agency at public@csb.gov.” FY 2026 quarterly meeting dates.

Protecting Against National Security Threats to the Communications Supply Chain Through the Equipment Authorization Program. Federal Register FCC final rule. Summary: “In this document, the Federal Communications Commission (Commission or FCC) clarifies that rules prohibiting authorization of covered equipment include modular transmitters and adopts a prohibition on authorization of devices that include modular transmitters that are covered equipment. The Commission also adopts a procedure to limit previously granted authorizations of covered equipment to prohibit the continued importation and marketing of such equipment. It further discusses the broad scope of the prohibition on authorization of equipment identified on the Covered List by clarifying the term “produced by” as used in the Commission's rules concerning covered equipment and clarifying the prohibition on modification to previously authorized covered equipment.”

Authorizations for Certain Activities at Liquefied Natural Gas Plants. Federal Register FERC notice of inquiry – Summary: “The Federal Energy Regulatory Commission (Commission) seeks information and stakeholder perspectives to help the Commission explore whether, and if so how, to revise our Part 153, 157, and 380 regulations to establish procedures for authorizing activities at liquefied natural gas plants without case-specific authorization orders under sections 3 and 7 of the Natural Gas Act.”

Name of Information Collection: Flight Analog Projects (FAP) Crew Selection Questionnaire AGENCY: National Aeronautics and Space Administration (NASA) . Federal Register NASA 60-day ICR renewal notice. Abstract: “This site contains a questionnaire to become a crew/experiment subject for Flight Analog Project (FAP) missions such as Pressure Chamber Analog, Mars Exploration Analog and other analog studies. The questionnaire is used to screen potential applicants for initial qualifications. In addition, the website where the questionnaire exists describes the FAP facilities and experiments conducted to inform and promote interest in public participating in different FAP missions.”

Delegation of Authority; Cyberspace and Digital Policy. Federal Register State Department delegation of authority notice. Summary: “By virtue of the authority vested in the Secretary of State by the laws of the United States, including section 1(a)(4) of the State Department Basic Authorities Act (22 U.S.C. 2651a(a)(4)) and the authorities hereinafter mentioned, I hereby delegate to the Ambassador at Large for Cyberspace and Digital Policy, to the extent authorized by law, the authorities and functions vested in the Secretary of State by 22 U.S.C. 2707”.

EO 14360 - Modifying the Scope of the Reciprocal Tariffs With Respect to Certain Agricultural Products. Federal Register.

EPA Sends Sunset Final Rule to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a direct final rule from the EPA on “Initiation of Sunset Dates to Covered Regulations”. This rule was not listed in the Spring 2025 Unified Agenda.

This rulemaking is almost certainly the EPA’s response to EO 14270, Zero-Based Regulatory Budgeting To Unleash American Energy. Section 4(a) of that EO requires listed agencies (including the EPA) to:

“To the extent consistent with applicable law, each of the Covered Agencies shall issue a sunset rule, effective not later than September 30, 2025, that inserts a Conditional Sunset Date into each of their Covered Regulations”

The EPA is one of two ‘covered’ agencies for which the EO does not specify the ‘Covered Regulations’. Instead §3(j) requires the EPA to “shall provide to the President, through the Director of the Office of Management and Budget (OMB Director), a list of statutes vesting EPA and ACE with regulatory authority that shall be subject to this order”. So, at this point it is not clear which EPA statutes inform the selection of regulations for the sunsetting requirements.

Short Takes – 11-24-25 – Space Geek Edition

China launches TJS-21 towards Molniya [highly elliptical, high inclination] orbit, lofts trio of Shijian-30 spacecraft. SpaceNews.com article. Pull quote: “Shijian is a series of satellites used to conduct experiments, test new technologies and verify operational practices on orbit. While the Shijian series spans diverse missions, the Shijian-30 triplet initially appears similar to earlier multi-satellite deployments focused on formation flying and broad “space environment” characterization.”

Blue Origin advances Blue Ring spacecraft toward 2026 national security mission. SpaceNews.com article. Pull quote: “Blue Ring is built to deliver, host and transport payloads in orbit and shift between orbits as missions require. Those movements fall under what the U.S. military calls “dynamic space operations,” a term used to describe spacecraft that can reposition themselves on demand — to gain a better sensor angle, avoid a threat, support another spacecraft or relocate payloads. Such maneuvering has become a priority for the Space Force as it eyes more resilient satellite architectures.”

ESA unveils Thales Alenia Space-led consortium for its Argonaut lunar lander. SpaceNews.com article. Pull quote: “Intended to place Europe on the moon for the first time, Argonaut was initially proposed and received its first round of funding at the 2022 ESA Ministerial Council in Paris. The spacecraft consists of three main elements: the LDE, the Cargo Platform Element and the payload. The LDE is the landing module and is responsible for transporting and delivering the payloads to the lunar surface.”

Newest Starship booster is significantly damaged during testing early Friday. ArsTechnica.com article. Pull quote: “The likely loss of this vehicle, “Booster 18,” is significant for SpaceX. Although the company is hardware-rich—it has built a massive factory in South Texas to churn out such vehicles—it nonetheless had a lot riding on this rocket. This is the first Starship Version 3, which was intended to have many design fixes and upgrades from the previous iterations of Starship vehicles to improve the reliability and performance of the massive rocket.”

Blue Origin announces New Glenn upgrade plans. SpaceNews.com article. Pull quote: “The upgrades include increasing the thrust of the seven BE-4 engines on the rocket’s first stage from a combined 3.9 million pounds-force to 4.5 million pounds-force. The two BE-3U engines on the upper stage will increase their total thrust from 320,000 to 400,000 pounds-force.”

SSC introduces streamlined ground station service. SpaceNews.com article. Pull quote: “SSC Go is designed to compete with similar services such as Kongsberg Satellite Services’ KSATlite and Leaf Space. The emphasis is on streamlined, simplified service for customers of smaller satellites who, company officials said, don’t need the “white glove” support of SSC’s traditional offerings.”

Backlog List

• Rocket Lab delays first Neutron launch to 2026,

• Key antenna in NASA’s Deep Space Network damaged,

• Irradiated Comet 3I/ATLAS glows green and hides its tail in new image,

• Isaacman’s second chance,

• The First Radio Signal From Comet 3I/Atlas Ends the Debate About Its Nature, and

• New 'nearly interstellar' comet — wrongly linked to 3I/ATLAS — will reach its closest point to Earth on Tuesday (Nov. 11) .

Review – S 2354 Introduced – FY 2026 CJS Spending

Back in July Sen Moran (R,KS) introduced S 2354, the Commerce, Justice, Science, and Related Agencies (CJS) Appropriations Act, 2026. The Senate Appropriations Committee published their Report on the bill. The bill includes two cybersecurity mentions. The Report includes a significant number of cybersecurity mentions and earmarks, as well as one UAS discussion.

This bill is similar to S 4795, the Commerce, Justice, Science, and Related Agencies Appropriations Act, 2025, that was reported in the Senate on July 25^th, 2025. No further action was taken on that bill in the 118^th Congress, or on its House counterpart HR 9026.

Moving Forward

The plan in the House currently appears to be to add the language of S 2354 to the substitute language for the consideration of HR 4016, the Department of Defense Appropriations Act, 2026. The Senate has not yet held their first cloture vote that would allow actual debate to begin on the bill. This probably signifies that there is still some backroom dealing going on to determine the broad outline of what will end up in the Senate version of the bill. Then further dealing with determine what further amendments will be considered on the floor.

Right now, SA 3951 from Sen Collins (Chair of the Appropriations Committee) is the current candidate for the substitute language to be considered, and it includes the language from S 2354. But a lot can happen in the short legislative month of December.

 

For more information on the cyber and UAS provisions of this bill, including cyber earmarks, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2354-introduced-fy-2026-cjs-spending - subscription required.

HR 4016 to be Considered in Senate – DOD Spending bill

On Tuesday and Wednesday of last week the Congressional Record noted that the “Senate began consideration of the motion to proceed to consideration of H.R. 4016, making appropriations for the Department of Defense for the fiscal year ending September 30, 2026.” No amendments were listed as having been submitted on either day. The Senate had started to consider the bill back in October, going so far as the filing of a cloture motion to proceed to consideration of the bill, but the cloture vote never happened.

On Thursday Sen Collins submitted SA 3951 as substitute language that the Senate would consider as the first amendment to HR 4016. That amendment would include language from the following Senate bills:

S 2752 (Div A), DOD spending,

S 2354 (Div B), CJS spending,

S 2431 (Div C), IER spending,

S 2587 (Div D), LHH spending, and

S 2465 (Div E), THUD spending.

NOTE: the bills listed above without links have yet to be covered in detail in this blog. I will look at them in the coming week before the Senate comes back to Washington in December.

There is still a lot of political posing, wrangling, and deal making before the Senate gets to a final vote on HR 4016. And then the bill will have to go back to the House where Johnson will require votes from Democrats to pass any language that would meet the minimal bipartisan requirements of the Senate. More likely, the House would insist on their single-bill language and the Senate version would disappear in conference until it was brought back in whole cloth in the January 30^th version of a spending bill/CR.

Short Takes – 11-23-25

AI trained on bacterial genomes produces never-before-seen proteins. ArsTechnica.com article. Pull quote: “Given that their system appears to work, the researchers decided to prompt it with just about everything: 1.7 million individual genes from bacteria and the viruses that prey on them. The result is 120 billion base pairs of AI-generated DNA, some of it containing genes we already knew about, some of it presumably containing truly novel stuff. It’s not clear to me how anyone would productively use this resource, but I’d imagine there are some creative biologists who will think of something.”

H5N5 Avian influenza confirmed in Grays Harbor County resident. DOH.WA.gov article. Pull quote: “A Grays Harbor resident who was hospitalized with influenza symptoms in early November has been confirmed to have influenza A H5, a type of avian influenza. Additional testing shows the virus to be H5N5, an avian influenza virus that has previously been reported in animals but never before in humans. The Centers for Disease Control and Prevention (CDC) and DOH currently consider the risk to the public from avian influenza to be low.”

On the Malicious NuGet Packages Containing Logic Bombs. Siemens.com article. Pull quote: “The malicious nature of the software seems to be only relevant to yet unknown, non-Siemens software which includes these packages. If this software implements a client to communicate with Siemens PLCs via legacy PUT/GET protocol, the manipulations can randomly close the connection to the device and/or cause silent failures when writing data to the PLC. The integrity of the PLC software is not affected.”

Marjorie Taylor Greene Says She Plans to Resign in January. NYTimes.com article (free). Pull quote: “But throughout her metamorphoses, Ms. Greene has remained deeply frustrated with her party and with the lack of any change in how Washington works. In her Friday evening post, she referred to “never-ending personal attacks, death threats, lawfare and ridiculous slander and lies” that she had endured in the public eye.”

Oil facility hit by large explosion in Venezuela. HazardOnTheNet.net article. Pull quote: “An investigation committee has been set up to determine the causes of the incident and rule out an act of sabotage by enemies of Venezuela, PDVSA added. Following process safety events in the country, Venezuelan officials have frequently labelled incidents as “terrorist attacks” or “sabotage” without providing evidence. Critics have said process safety incidents such as explosions and fires at the country’s oil facilities are more likely to be a result of underinvestment, mismanagement, and a lack of maintenance.” Someone is likely to claim that this is a result of US attack on the facility.

Amazon security boss: Hostile countries use cyber targeting for physical military strikes. TheRegister.com article. Pull quote: “In January 2024, the IRGC's cyber arm began conducting targeted searches for AIS location data for a specific shipping vessel, and on February 1, 2024, US Central Command reported a missile strike by Houthi forces against that ship. "While the missile strike was ultimately ineffective, the correlation between the cyber reconnaissance and kinetic strike is unmistakable," Moses wrote.”

Measles outbreak in Arizona and Utah could spell the end for U.S. elimination status. NBCNews.com article. Pull quote: “Exposures have been reported at emergency departments and urgent care clinics in the [Washington] county, as well as in Salt Lake County. Several exposures were reported at Water Canyon Elementary School in Hildale, which is just across the border from Mohave County, Arizona, where all but four of the state’s 137 cases this year have been recorded.”

Hazardous Materials: Adjusting Registration and Fee Assessment Program. Federal Register PHMSA  NPRM withdrawal. Summary: “PHMSA is withdrawing its proposed rulemaking [link added] that would have increased registration fees for persons who transport, or offer for transportation, certain categories and quantities of hazardous materials.”

Attack, defend, pursue—the Space Force’s new naming scheme foretells new era. ArsTechnica.com article. Pull quote: “The Space Force also signaled its openness to accommodating “popular names” to go along with the official designations, similar to the F-16 fighter jet, which is known as the Fighting Falcon, and the F/A-18 is the Hornet. “Names must be brief,” the Space Force instruction says. “Use no more than two short words. Choose a name that characterizes the mission and operational capabilities of the weapon system.”” Two letter ‘code’ designates mission type (12 types) and where system will work (8 types).

Backlog List:

 

• The Cyber-Insecurity of Medical Devices,

• Canada says hacktivists breached water and energy facilities,

• Falling panel prices lead to global solar boom, except for the US,

• A new biosensor can detect bird flu in five minutes,

• U.S. agencies back banning popular home WiFi device, citing national security risk, and

• Donald Trump Just Set Another 'Dangerous' Precedent.

Review – Public ICS Disclosures – Week of 11-15-25 – Part 2

For Part 2 we have five additional vendor disclosures from Siemens (2), Supermicro, Wireshark (2), and Zyxel. There is one vendor update from Siemens. There is one researcher report on a vulnerability in products from FortiGuard. Finally, we have three separate exploits published for the same FortiGuard vulnerability.

Advisories

Siemens Advisory #1 - Siemens published an advisory that describes an out-of-bounds read vulnerability in their PS/IGES Parasolid Translator Component.

Siemens Advisory #2 - Siemens published an advisory that describes a cross-site scripting vulnerability in their Mendix RichText editor.

Supermicro Advisory - Supermicro published an advisory that discusses four stack-based buffer overflow vulnerabilities in their BMC Firmware.

Wireshark Advisory #1 - Wireshark published an advisory that describes a Kafka dissector crash vulnerability.

Wireshark Advisory #2 - Wireshark published an advisory that describes a BPv7 dissector crash vulnerability.

Zyxel Advisory - Zyxel published an advisory that describes two vulnerabilities in multiple Zyxel product lines.

Updates

Siemens Update - Siemens published an update for their Nozomi Guardian/CMC advisory that was originally published on August 12, 2025, and most recently updated on October 14^th, 2025.

Researcher Reports

FortiGuard Report - Bishop Fox published a report about an exploit for a relative path traversal vulnerability in the FortiGuard FortiWeb product.

Exploits

NOTE: These exploits are all for the same FortiWeb vulnerability discussed above. This is a real popular vulnerability this week.

Nu11secur1ty published an exploit for the path traversal vulnerability in the FortiWeb product.

Verylazytech published an exploit for the path traversal vulnerability in the FortiWeb product.

SensePost published an exploit for the path traversal vulnerability in the FortiWeb product.

 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-f90 - subscription required.

Chemical Incident Reporting – Week of 11-15-25

NOTE: See here for series background.

Pinellas Park, FL – 11-14-25

Local News Report: Here, here, here, and here.

There was a fire in a refrigerated storage container that contained “industrial peroxide and acetone-based materials”. One firefighter was transported to the hospital, and released. No damage estimates were provided.

Probably not CSB reportable.

Hastings, NE – 11-17-25

Local News Report: Here, here, here, and here.

There was a leak from a 30,000 gal anhydrous ammonia storage tank at a fertilizer supply facility. No injuries or damage has been reported. Voluntary evacuations were conducted at nearby businesses.

Not CSB reportable.

Fort Wayne, IN – 11-18-25

Local News Report: Here, here, and here.

There was a 350-gal nitric acid spill at an industrial facility. No injuries or damage has been reported. A local shelter-in-place order was issued.

Not CSB reportable.

North Kingson, RI – 11-20-25

Local News Report: Here, here, here, and here.

There was an anhydrous ammonia leak on the roof of a food processing facility. Thirteen people were transported to hospital, two in critical condition.

CSB reportable.

Tyler, TX – 11-20-25

Local News Report: Here, here, and here.

There was a fire at refinery. Local evacuations were ordered. No injuries reported. No estimates of the amount of damage were reported.

Possible CSB reportable.

Review – Public ICS Disclosures – Week of 11-15-25 – Part 1

This week we have bulk disclosures from FortiGuard (6). We have 11 additional vendor disclosures from ABB, Bosch (4), HPE (4), Mitsubishi, and Philips.

Bulk Disclosures - FortiGuard

• Stack buffer overflow in CAPWAP daemon,

• Stack buffer overflow in CAPWAP daemon,

• Authenticated CLI Commands Buffer Overflow,

• Credential leakage through debug commands,

• File scan result bypass, and

• Trusted hosts bypass via SSH.

Advisories

ABB Advisory - ABB published an advisory that describes an authentication bypass using alternate path or channel vulnerability in their Edgenius Management Portal.

Bosch Advisory #1 - Bosch published an advisory that discusses two vulnerabilities (one with a publicly available exploit) in their MAP 5000 family.

Bosch Advisory #2 - Bosch published an advisory that describes an inadequate encryption strength vulnerability in their MAP 5000 panel.

Bosch Advisory #3 - Bosch published an advisory that discusses a double free vulnerability in their MAP 5000 family.

Bosch Advisory #4 - Bosch published an advisory that describes a use of a broken or risky cryptographic algorithm vulnerability in their MAP 5000 family.

HPE Advisory #1 - HPE published an advisory that discusses three vulnerabilities in their Telco Service Activator.

HPE Advisory #2 - HPE published an advisory that discusses an improper isolation or compartmentalization vulnerability in their Compute Scale-up Server 3200 Platform Servers.

HPE Advisory #3 - HPE published an advisory that describes seven vulnerabilities (five with publicly available exploits) in their Aruba Networking Management Software (AirWave).

HPE Advisory #4 - HPE published an advisory that discusses 13 vulnerabilities (six with publicly available exploits) in their Aruba Networking AOS-CX.

Mitsubishi Advisory - Mitsubishi published an advisory that describes an uncontrolled search path element vulnerability in their MILCO.S lighting control system.

Philips Advisory - Philips published an advisory that discusses a Microsoft double free vulnerability that is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

 

For more information on these disclosures, including links to 3^rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-6f4 - subscription required.

Review – Bills Introduced – 11-20-25

Yesterday, with both the House and Senate in session (and the Senate leaving for Thanksgiving) there were 154 bills introduced. Two of those bills will receive additional attention in this blog:

HR 6187 To direct the Administrator of the Pipeline and Hazardous Materials Safety Administration to establish a grant program to facilitate the improved safety and modernization of hazardous liquid distribution infrastructure, and for other purposes. Fitzpatrick, Brian K. [Rep.-R-PA-1] 

S 3251 A bill to amend the Homeland Security Act of 2002 to authorize State and local cybersecurity grants for fiscal year 2026, and for other purposes. Hassan, Margaret Wood [Sen.-D-NH]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a brief look at a bill to restrict Chinese humanoid-robots, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-11-20-25 - subscription required.

Transportation Chemical Incidents – Week of 10-18-25

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 460 (418 highway, 40 air, 2 rail, 0 water)

• Serious incidents – 4 (3 Bulk release, 1 evacuation, 0 injury, 0 death, 0 major artery closed, 0 fire/explosion, 42 no release)

• Largest container involved – 29,050-gal DOT 117R100W Railcar {Elevated Temperature Liquid, N.O.S., at or Above 100 C and Below Its Flash Point (Including Molten Metals, Molten Salts, Etc.)} Air valve plug less than tool tight and valve cracked open.

• Largest amount spilled – 1,200-gal DOT 406 Trailer {Hydrocarbons, Liquid, N.O.S.} Driver at fault traffic accident.

• Total amount reported spilled in all incidents – 2651.3-gal

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Chloropicrin: A slightly oily colorless to yellow liquid with a strong irritating odor. Noncombustible. Denser than water. Vapors are poisonous by inhalation and irritate eyes, nose, and throat. Behavior in Fire: Compound forms a powerful tear gas when heated. Heated material may detonate under fire conditions. (Source: CameoChemicals.NOAA.gov).

 

Ninja Squirrels

There is an interesting (but brief) article over at SCADAMag.Infracritical.com that notes that squirrels are the number three cause of power outages in the United States. It also provides a list of the top ten outages, sourced from American Public Power Association. Nary a mention of cyberattacks, though the number four listing of ‘unknown’ does provide some pause for thought. The lack of cyber should not be surprising, even given the numerous stories about the presence of Chinese malware in the grid infrastructure; Chinese (or Iranians, or North Koreans, or whomever) actually shutting down the grid would have people calling for nuke strikes.

Two pieces of information are, however, missing from the discussion, the number of people affected by each shutdown, and the time to recover from the shutdowns; both are important measures of 'attack' impact. I suspect that the rankings on the list would be significantly different for either of those demographics, with ‘storms’ and ‘weather’ nearer the tip-top of the lists.

In any case, this just goes to prove how important the often unsung work of electrical system employees, particularly line crews, is to our society. The next time you see a line crew truck drive by, give them a salute, they deserve the recognition.