DOE Withdraws Sunset Provision NPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that the DOE had withdrawn a notice of proposed rulemaking (NPRM) on “Zero-Based Regulating”. Interestingly, the notice reports that the NPRM was also submitted to OIRA yesterday; that probably means that this is just a temporary delay.

According to the Spring 2025 Unified Agenda entry for this rulemaking:

“The U.S. Department of Energy is considering initiating a proposed rule to amend the regulations that govern energy production to include a sunset provision in compliance with EO 14270 [link added], " Zero-Based Regulatory Budgeting To Unleash American Energy".”

FCC Sends PNT Solutions NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking on “Promoting the Development of Positioning, Navigation, and Timing Technologies and Solutions, WT Docket No. 25-110”. The Commission requested comments on 25-110 via a public notice (not FR publication) on March 6^th, 2025.

According to the Spring 2025 Unified Agenda entry for this rulemaking:

“The proceeding seeks to build a record on specific actions the Federal Communications Commission can take to help develop complements and alternatives to the Global Positioning System (GPS) with the goal of ensuring robust and reliable Positioning, Navigation, and Timing (PNT) technologies and solutions.”

Because of the potential use of the ‘timing’ portion of this technology by SCADA (and other types of control) systems, I would expect to give some level of attention the publication of this rulemaking in this blog.

Review – Bills Introduced – 3-2-26

Yesterday, with the Senate in Washington and the House meeting in pro forma session, there were 22 bills introduced. Two of those bills will receive additional coverage in this blog:

HR 7744 Department of Homeland Security Appropriations Act, 2026 Cole, Tom [Rep.-R-OK-4] 

HR 7748 To enhance safety requirements for trains transporting hazardous materials, and for other purposes. Deluzio, Christopher R. [Rep.-D-PA-17]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention in passing of a bill limiting institutional investor solicitations after major natural disasters, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-3-2-26 - subscription required.

Review – Public ICS Disclosures – Week of 2-21-26 – Part 2

For Part 2 we have seven additional vendor disclosures from Trumpf, VMware (2), Wireshark (3), and Zyxel. There are ten vendor updates from FortiGuard (3), Hitachi Energy, HP (2), Moxa, and Siemens (3). There are 14 researcher reports for products from Owl (11), and Tattile (3). Finally, we have two exploits for products from Supermicro and Tesla.

Advisories

Trumpf Advisory - CERT-VDE published an advisory that discusses a least privilege violation vulnerability in multiple Trumpf products.

VMware Advisory #1 - Broadcom published an advisory that describes four vulnerabilities in the VMware Workstation and Fusion products.

VMware Advisory #2 - Broadcom published an advisory that describes three vulnerabilities in the VMware Aria Operations product.

Wireshark Advisory #1 - Wireshark published an advisory that describes a buffer over-read vulnerability in their RF4CE Profile dissector.

Wireshark Advisory #2 - Wireshark published an advisory that describes a NULL pointer dereference vulnerability in their NTS-KE dissector.

Wireshark Advisory #3 - Wireshark published an advisory that describes an allocation of resources without limit or throttling vulnerability in their USB HID dissector.

Zyxel Advisory - Zyxel published an advisory that describes seven vulnerabilities in multiple Zyxel product lines.

Updates

FortiGuard Update #1 - FortiGuard published an update for their FortiOS advisory that was originally published on February 10^th, 2026.

FortiGuard Update #2 - FortiGuard published an update for their OpenSSL advisory that was originally published on January 30^th, 20276, and most recently updated on February 17^th, 2026.

FortiGuard Update #3 - FortiGuard published an update for their cw_acd daemon advisory that was originally published on January 13^th, 2026, and most recently updated on January 19^th, 2026.

Hitachi Energy Update - Hitachi Energy published an update for their RTU500 advisory that was originally published on April 30^th, 2024, and most recently updated on September 9^th, 2025.

HP Update #1 - HP published an update for their Intel Xeon Processor advisory that was originally published on October 29^th, 2025.

HP Update #2 - HP published an update for their AMD Embedded Processors advisory that was originally published on September 30^th, 2025.

Moxa Update #1 - Moxa published an update for their Ethernet Switches advisory that was originally published on January 9^th, 2026.

Moxa Update #2 - Moxa published an update for their EDS-P510 Series advisory that was originally published on November 8^th, 2025.

Siemens Update #1 - Siemens published an update for their SINEC OS advisory that was originally published on August 12^th, 2025, and most recently updated on February 12^th, 2026.

Siemens Update #2 - Siemens published an update for their SINEC OS advisory that was originally published on August 12^th, 2025, and most recently updated on February 12^th, 2026.

Siemens Update #3 - Siemens published an update for their SINEC OS advisory that was originally published on January 28^th, 2026.

Researcher Reports

Owl Reports - Nozomi Networks published 11 reports describing vulnerabilities in the Owl OPDS data diode solution.

Tattile Reports - Zero Science published three reports about vulnerabilities in Tattile Cameras.

Exploits

Supermicro Exploit - Indoushka published an exploit for an old (2013) improper restriction of operations within the bounds of a memory buffer vulnerability in the Supermicro Onboard IPMI X9SCL.

Tesla Exploit - Nullze published an exploit for a denial-of-service vulnerability in the Tesla S/3/X.

 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-5e6 - subscription required.

Chemical Incident Reporting – Week of 2-21-26

NOTE: See here for series background.

Cofield, NC – 2-21-26

Local News Report: Here, here, and here.

There was a grain silo explosion at a feed mill. One employee died and two were transported to local hospital. There is no mention of the level of damages to the facility.

CSB reportable.

Colton, CA – 2-25-26

Local News Report: Here, here, and here.

There was an explosion in a trailer containing hydrogen cylinders. One person was killed and one was transported to hospital with burn injuries. The first article reported that the trailer contained hydrogen fuel cells which may have included hydrogen cylinder if they were operational.

Possible CSB reportable. While a fire/explosion in a trailer in transit would be an NTSB matter, a trailer parked at a fixed facility with ongoing operations out of the trailer would be a fixed site under EPA/CSB rules.

Brookfield, WI – 2-25-26

Local News Report: Here, here, here, and here.

There was a refrigerant leak at a large retail store. The building was evacuated. No injuries or damages were reported.

Not CSB reportable.

Greenville, NC – 2-25-26

Local News Report: Here, here, and here.

There was an apparent carbon monoxide leak at a manufacturing facility. The facility was evacuated and 18 employees were transported to local hospitals. There is no reported source of CO at the facility.

Possible CSB reportable if any of the 18 were admitted to the hospital.

Memphis, TN – 2-26-26

Local News Report: Here and here.

There was an unidentified chemical spill at a package shipping hub. No injuries were reported.

Not CSB reportable.

Review – Public ICS Disclosures – Week of 2-21-26 - Part 1

We have a busy disclosure week. For Part 1 we have 17 vendor disclosures from ABB (2), Dell, Festo, Fujitsu, Hitachi (2), Hitachi Energy (3), HP (2), HPE (3), Sick, and Supermicro.

Advisories

ABB Advisory #1 - ABB published an advisory that discusses an insecure default initialization of resource vulnerability in their Automation Builder product.

ABB Advisory #2 - ABB published an advisory that discusses three vulnerabilities in their AC500 V3 products.

Dell Advisory - Dell published an advisory that describes four vulnerabilities in their Wyse Management Suite.

Festo Advisory - CERT-VDE published an advisory that 126 vulnerabilities in the Festo Automation Suite product. These are third-party (CODESYS) vulnerabilities.

Fujitsu Advisory - JP-CERT published an advisory that describes an out-of-bounds write vulnerability in the Fujitsu Fujitsu BIOS Driver.

Hitachi Advisory #1 - Hitachi published an advisory that describes an insertion of sensitive information into a log file vulnerability in their Configuration Manager and Ops Center API Configuration Manager products.

Hitachi Advisory #2 - Hitachi published an advisory that describes an insertion of sensitive information into a log file vulnerability in their Configuration Manager and Ops Center API Configuration Manager products.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that describes four vulnerabilities (one with publicly available exploit) in their RTU500 series CMU Firmware.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that describes two vulnerabilities in their Relion REB500 Product.

Hitachi Energy Advisory #3 - Hitachi Energy published an advisory that discusses a deserialization of untrusted data vulnerability in their Ellipse product.

HP Advisory #1 - HP published an advisory that discusses four vulnerabilities (two with publicly available exploits) in their LaserJet Enterprise and LaserJet Managed Printers.

HP Advisory #2 - HP published an advisory that describes three improper check for unusual or exceptional conditions vulnerabilities in multiple product lines utilizing the Intel NPU driver.

HPE Advisory #1 - HPE published an advisory that describes an authentication bypass vulnerability in their AutoPass License Server (APLS).

HPE Advisory #2 - HPE published an advisory that discusses an improper restriction of operations within the bounds of a memory buffer vulnerability in their ProLiant AMD DL/XL Servers.

HPE Advisory #3 - HPE published an advisory that discusses an improper restriction of operations within the bounds of a memory buffer vulnerability in their SimpliVity Servers.

Sick Advisory - Sick published an advisory that describes two use of risky or broken cryptographic algorithm vulnerabilities in their LMS1000 and MRS1000 products.

Supermicro Advisory - Supermicro published an advisory that discusses an improper restriction of operations within the bounds of a memory buffer vulnerability in multiple products.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-805 - subscription required.

Chemical Transportation Incidents – Week of 1-24-26

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 320 (288 highway, 29 air, 3 rail, 0 water)

• Serious incidents – 1 (1 Bulk release, 0 evacuation, 0 injury, 0 death, 1 major artery closed, 0 fire/explosion, 27 no release)

• Largest container involved – 27,312-gal DOT 111A100W5 Railcar {Hydrochloric Acid} Leaking pressure relief device.

• Largest amount spilled – 5,500-gal DOT 406 Trailer {Gasoline Includes Gasoline Mixed With Ethyl Alcohol, With Not More Than 10% Alcohol} Release due to roll-over truck accident.

• Total amount reported spilled in all incidents – 6595.7-gal

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Dimethyl Sulfide: A clear colorless to straw colored liquid with a disagreeable odor. Flash point less than 0°F. Less dense than water and slightly soluble in water. Vapors are heavier than air. (Source: CameoChemicals.NOAA.gov).

 

Review – CSB Publishes Dow EO Release Investigation Report

Yesterday the Chemical Safety Board (CSB) announced the publication of a report on the 2023 explosion and ethylene oxide release incident at the DOW plant in Plaquemine, Louisiana. The incident resulted in the release of 31,000-lbs of EO, but no one was reported injured and there were no deaths. The CSB reported three safety issues identified and published four safety recommendations. This leaves seven open investigations.

The incident involved the vapor relief system. Leaks in the system allowed air to enter the piping. When debris from equipment left in a large reflux drum punctured a rupture disk attached to the system, EO vapors entered the piping and created a flammable atmosphere in the piping. The resulting explosion propagated through the pressure relief system.

 

For more information on the report, including a description of the four recommendations – see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-publishes-dow-eo-release-investigation - subscription required.

BIS Sends AI Action Plan Final Rule to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the DOC’s Bureau of Industry and Security (BIS) on “AI Action Plan Implementation”. An interim final rule was published (under the earlier title of this rulemaking; Framework for Artificial Intelligence Diffusion) on January 15^th, 2025.

According to the Spring 2025 Unified Agenda for this rulemaking:

“The Bureau of Industry and Security (BIS) intends to rescind portions of the revisions and additions implemented by the Framework for Artificial Intelligence Diffusion,” published January 15, 2025. BIS intends to issue a new rule which will provide a more streamlined framework for enabling the secure deployment of advanced U.S. AI technology abroad.”

This final rule would appear to be beyond the normal scope of coverage of this blog, so I do not plan on detailed coverage of its publication. I would expect to announce that, however, in the appropriate Short Takes post.

10 Advisories and 3 Updates Published – 2-26-26

Today CISA’s NCCIC-ICS published 10 control system security advisories for products from Copeland, Yokogawa, Mobility46, EV Energy, SWITCH EV, Chargemap, EV2GO, CloudCharge, Pelco, and Johnson Controls. They also published updates for advisories from Honeywell, Schneider Electric, and Hitachi Energy.

Advisories

Copeland Advisory - This advisory describes 23 vulnerabilities in the Copeland XWEB and XWEP Pro plant management software.

Yokogawa Advisory - This advisory describes six vulnerabilities in the Yokogaw Vnet/IP Interface Package used in their CENTUM VP R6 and R7 products.

Mobility46 Advisory - This advisory describes four vulnerabilities in the Mobility46 mobility46.se digital parking management and EV charging solution.

EV Energy Advisory - This advisory describes four vulnerabilities in the EV Energy ev.energy EV charging management solution.

SWITCH EV Advisory - This advisory describes four vulnerabilities in the SWITCH EV SwitchEnergy.com multiple EV charging systems management.

Chargemap Advisory - This advisory describes four vulnerabilities in the Chargemap Chargemap.com EV fleet charging management.

EV2GO Advisory - This advisory describes four vulnerabilities in the EV2GO ev2go.io charging infrastructure management.

CloudCharge Advisory - This advisory describes four vulnerabilities in the CloudCharge cloudcharge.se charging facility management.

Pelco Advisory - This advisory describes an authentication bypass using an alternate path or channel vulnerability in the Pelco Sarix Pro 3 Series IP Cameras.

Johnson Controls Advisory - This advisory describes six vulnerabilities in the Johnson Controls Frick Controls Quantum HD compressor control panel.

Updates

Honeywell Update - This update provides additional information on the HIB2PI and HDZ Series CCTV Cameras advisory that was originally published on February 17^th, 2026.

Schneider Update - This update provides additional information on the EcoStruxure Power Operation advisory that was originally published on July 22^nd, 2025.

NOTE: I briefly discussed this new information on February 15^th, 2026.

Hitachi Energy Update - This update provides additional information on the Relion 670/650/SAM600-IO Series advisory that was originally published on May 13^th, 2025, and most recently updated on June 5^th, 2025.

NOTE: I briefly mentioned the Hitachi Energy update on February 1^st, 2026.

 

For more information on these advisories, including a DTRH look at EV charger cybersecurity research, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/10-advisories-and-3-updates-published-7f5 - subscription required.

Short Takes – 2-26-26 – Federal Register Edition

Notice and Request for Comment; Proposal for a New United Nations Global Technical Regulation on Automated Driving Systems (ADS). Federal Register NHTSA request for comments. Summary: “The United Nations Working Party on Automated/Autonomous and Connected Vehicles (GRVA), under the World Forum for the Harmonization of Vehicle Regulations (WP.29) at United Nations Economic Commission for Europe (UNECE), has proposed a draft Global Technical Regulation (GTR) for Automated Driving Systems (ADS). NHTSA is seeking public comment on the draft GTR to help inform the U.S. government's position, including how that position could relate to any future domestic actions regarding the safety and performance of Automated Driving Systems. With this notice, NHTSA is announcing a 15-day extension of the public comment period for this request for comment.” Comments due March 10^th, 2026.

Proposed Renewal Collection and Request for Comment; Confidential Business Information Claims Under the Toxic Substances Control Act (TSCA). EPA 60-day ICR renewal notice. Summary: “In compliance with the Paperwork Reduction Act (PRA), this document announces the availability of and solicits public comment on the following Information Collection Request (ICR) that EPA is planning to submit to the Office of Management and Budget (OMB): Confidential Business Information Claims under the Toxic Substances Control Act (TSCA) (EPA ICR No. 2706.04 and OMB Control No. 2070-0223). This ICR represents a renewal of an existing ICR that is currently approved through August 31, 2026. Before submitting the ICR to OMB for review and approval under the PRA, EPA is soliciting comments on specific aspects of the information collection that is summarized in this document. The ICR and accompanying material are available in the docket for public review and comment.” Comments due April 27^th, 2026.

Worker Safety and Health Requirements To Support Reform of Nuclear Reactor Testing; Reopening of Public Comment Period. DOE NPRM comment extension. Summary: “On January 21, 2026, the U.S. Department of Energy (“DOE”) published a notice of proposed rulemaking (“NOPR”) seeking to amend certain regulations for worker safety and health to expedite the review, approval, and deployment of advanced reactors under DOE's jurisdiction, including qualified test reactors in DOE's reactor pilot program consistent with a recent Executive order. The NOPR provided an opportunity for submitting written comments, data, and information by February 20, 2026. By letter dated February 4, 2026, the American Federation of Labor and Congress of Industrial Organizations (“AFL-CIO”) requested a 45-day extension to the comment period. DOE has reviewed this request and is re-opening the public comment period until March 23, 2026.”

EO 14388 - Continuing the Suspension of Duty-Free De Minimis Treatment for All Countries. Federal Register.

EO 14389 - Ending Certain Tariff Actions. Federal Register.

Review – Bills Introduced – 2-25-26

Yesterday, with both the House and Senate in session, and the House preparing to leave for a long weekend, there were 81 bills introduced. One of those bills will receive additional coverage in  this blog:

HR 7696 To establish a grant program to provide awards to National Laboratories and institutions of higher education to develop secure artificial intelligence (AI) cyber-physical testbeds to simulate grid-scale cyberattacks, and for other purposes. Hernández, Pablo Jose [Resident Commissioner-D-PR-At Large]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention in passing of a bill requiring ICE to return identity documents to released detainees, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-2-25-26 - subscription required.

Review – Bills Introduced – 2-24-26

Yesterday, with both the House and Senate in Washington, there were 31 bills introduced. Two of those bills will receive additional coverage in this blog:

HR 7662 To enhance safety requirements for trains transporting hazardous materials, and for other purposes. Nehls, Troy E. [Rep.-R-TX-22]

S 3903 A bill to enhance safety requirements for trains transporting hazardous materials, and for other purposes. Husted, Jon [Sen.-R-OH]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-2-24-26 - subscription required.

DOT Sends Administrative Procedures Final Rule to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the DOT’s Office of the Secretary (OS) on “Administrative Rulemaking, Guidance, and Enforcement Procedures”. The notice of proposed rulemaking was published on May 16^th, 2025. Interestingly, even though the NPRM was published before the Spring 2025 Unified Agenda (published in September 2025), that NPRM was listed as being projected for publication in July 2025.

According to the Spring 2025 Unified Agenda entry for this rulemaking:

“This rulemaking would reinstate and expound upon procedural reforms for the Department’s rulemakings, guidance documents, and enforcement actions rescinded by a final rule published by the Department on April 2, 2021, Administrative Rulemaking, Guidance, and Enforcement Procedures (86 FR 17292) [link added]. Accordingly, this proposed rule would revise and update the Department’s internal policies and procedures relating to the issuance of rulemaking documents. In addition, this rulemaking would update the Department’s procedural requirements governing the review and clearance of guidance documents, and the initiation and conduct of enforcement actions, including administrative enforcement proceedings and judicial enforcement actions brought in Federal court.”

That 2021 rulemaking was part of the Biden Administration’s effort to remove much of 45’s regulatory agenda. Specifically, that Biden Administration rulemaking addressed an earlier DOT/OS rulemaking (84 FR 71714) from the previous administration. The preamble to the 2021 rulemaking noted that:

“Many of the policies and procedures codified at 49 CFR part 5 were prompted by Executive orders that have since been revoked by E.O. 13992.^[1] As a result, the Department will rescind those policies and procedures, or portions thereof, that implemented or enforced any of the revoked orders. This final rule removes from 49 CFR part 5 those provisions that reflect revoked policies and procedures that are no longer in effect.”

This is one of the problems with relying on executive orders as the authority for issuing regulations. It is relatively easy for the next administration to come in and revoke/change those regulations. In this case, since this rule only directly impacts internal DOT processes, this is more of a storm in a tea pot issue, but it does reflect significant changes in regulatory intent, and those changes are already in place and are already affecting DOT policy and rulemaking regardless of the presence or absence of this rule.

I will not be covering this final rule in any detail, but I would expect to report its publication in the appropriate Short Takes post.

Review – 3 Advisories and 2 Updates Published – 2-24-26

Today CISA’s NCCIC-ICS published three control system security advisories for products from Gardyn, Schneider Electric, and InSAT. They also updated two advisories for products from Mitsubishi.

Advisories

Gardyn Advisory - This advisory describes four vulnerabilities in the Gardyn Home Kit product line.

Schneider Advisory - This advisory describes two vulnerabilities in the Schneider EcoStruxure Building Operation Workstation.

NOTE: I briefly discussed these vulnerabilities on February 14^th, 2026

InSAT Advisory - This advisory describes two SQL injection vulnerabilities in the InSAT MasterSCADA BUK-TS.

Updates

Mitsubishi Update #1 - This update provides additional information on the Iconics Digital Solutions advisory that was originally published on October 22^nd, 2024, and most recently updated on January 8^th, 2026.

Mitsubishi Update # 2 - This update provides additional information on the ICONICS Suite advisory that was originally published on July 26^th, 2022, and most recently updated on January 15^th, 2025.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-2-updates-published-758 - subscription required.

Short Takes – 2-24-26 – Federal Register Edition

Prior Notice of Citizen Suits. Federal Register EPA notice of proposed rulemaking. Summary: “The Environmental Protection Agency (EPA) is proposing to amend its regulations prescribing the manner in which prior notice of citizen suits is to be provided as required under the citizen suit provisions of the Clean Air Act (CAA), the Clean Water Act (CWA), the Safe Drinking Water Act (SDWA), the Noise Control Act (NCA), the Resource Conservation and Recovery Act (RCRA), the Comprehensive Environmental Response, Compensation, and Liability Act (CERCLA), and the Toxic Substances Control Act (TSCA). This proposed rulemaking would generally require electronic service to EPA of Notices of Intent (NOIs) to file a citizen suit under the listed environmental statutes. These proposed revisions would help ensure the Agency receives and processes such NOIs in a timely and efficient manner.” Comments due: March 26^th, 2026.

Proposed Renewal Collection and Request for Comment; Chemical Data Reporting Under the Toxic Substances Control Act (TSCA). Federal Register EPA 60-day ICR renewal notice. Summary: “In compliance with the Paperwork Reduction Act (PRA), this document announces the availability of and solicits public comment on the following Information Collection Request (ICR) that EPA is planning to submit to the Office of Management and Budget (OMB): Chemical Data Reporting under the Toxic Substances Control Act (TSCA) (EPA ICR No. 1884.17 and OMB Control No. 2070-0162). This ICR represents a renewal of an existing ICR that is currently approved through October 31, 2026. Before submitting the ICR to OMB for review and approval under the PRA, EPA is soliciting comments on specific aspects of the information collection that is summarized in this document. The ICR and accompanying material are available in the docket for public review and comment.” Comments due: April 27^th, 2026.

Railroad Safety Advisory Committee. Federal Register FRA request for nominations. Summary: “In this notice, the Department is soliciting nominations for membership to the Committee. The Committee shall report to the Secretary of Transportation through the FRA Administrator and shall comprise 25 members representing the agency's major stakeholder groups, including railroads, labor organizations, suppliers, and manufacturers, as well as other interested parties.” Nominations due: March 26^th, 2026.

Pipeline Safety: Request for Special Permit; Sable Offshore Corp. Federal Register PHMSA notice. Summary: “PHMSA is publishing this notice to solicit public comments on a request for a special permit submitted by Sable Offshore Corp. (Sable). Sable is seeking relief from compliance with certain requirements in the Federal pipeline safety regulations. PHMSA has proposed conditions to ensure that the special permit is not inconsistent with pipeline safety. At the conclusion of the 30-day comment period, PHMSA will review the comments received from this notice as part of its evaluation to grant or deny the special permit request.” Comments due: March 26th, 2026.

Review – CSB Publishes PEMEX H2S Release Investigation Report

Yesterday the Chemical Safety Board announced the publication of incident investigation report for the October 2024, fatal hydrogen sulfide leak at the PEMEX facility in Deer Park, TX. During the incident 27,000-lbs of H2S were released when contractors opened the wrong line during a maintenance procedure. Two workers were killed and 13 were transported to local hospitals for exposure to H2S. The report identified four key safety issues and the Board made four safety recommendations to prevent future such accidents.

This closed investigation leave just eight CSB open investigations. The four new recommendations brings the total number of CSB recommendations to date to 1,026 with 118 open recommendations.

Incident Summary

The Executive Summary for the report describes the incident:

“The release occurred when contract workers from Repcon, Inc. (Repcon) opened piping containing hydrogen sulfide gas. Instead of opening a pipe flange on empty piping, the workers mistakenly opened an identical piping segment 5 feet away, releasing pressurized hydrogen sulfide gas and fatally injuring one of the Repcon workers. The released hydrogen sulfide traveled downwind to the adjacent unit, where a worker from ISC Constructors, who was unaware of the release, inhaled the toxic hydrogen sulfide and also was fatally injured. The release continued for nearly an hour until PEMEX Deer Park emergency responders reassembled the leaking flange, stopping the release. Thirteen additional contract workers were transported to nearby medical facilities to be evaluated for hydrogen sulfide exposure”

 

For more information on the CSB report, including commentary on another potential safety issue, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-publishes-pemex-h2s-release-investigation - subscription required.

EPA Sends Chem Mfg Technology Review Final Rule to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIIRA) announced that it had received an final rule from the EPA on “National Emission Standards for Hazardous Air Pollutants: Chemical Manufacturing Area Source Technology Review”. This mandatory NESHAP review is subject to a consent decree requiring the publication of the final rule by January 15^th, 2026. The notice of proposed rulemaking for this action was published on January 22^nd, 2025.

According to the Spring 2025 Unified Agenda entry for this rulemaking:

“This action will address the agency's technology review of the National Emission Standards for Hazardous Air Pollutants (NESHAP) for Chemical Manufacturing Area Sources (CMAS). The CMAS NESHAP, subpart VVVVVV, was promulgated on October 29, 2009, pursuant to section 112(d) of the Clean Air Act (CAA) and established emission limitations and work practice requirements for controlling emissions of hazardous air pollutants (HAP). The NESHAP controls HAP emissions from process vents, storage tanks, equipment leaks, wastewater streams, transfer operations and heat exchange systems. This action addresses the technology review requirements of CAA section 112(d)(6) which require the EPA to review and revise the standards as necessary (taking into account developments in practices, processes and control technologies) no less often than every 8 years.”

This rulemaking is beyond the normal scope of coverage in this blog, so I probably will not provide any detailed coverage of the final rule. I do expect to at least acknowledge its publication in the appropriate Short Takes post.

House Passes HR 2600 – ASCEND Act

Today the House took up HR 2600, the Accessing Satellite Capabilities to Enable New Discoveries (ASCEND) Act, under the suspension of the rules process. After just 8 minutes of debate, the House passed the bill by a voice vote.

This bill provides statutory authority for the Commercial SmallSat Data Acquisition (CSDA) program run by the National Aeronautics and Space Administration (NASA). Through the CSDA program, NASA acquires remote sensing data and imagery from commercial satellites to support its Earth science research. (Remote sensing generally refers to the collection of data by instruments in Earth’s orbit, such as satellites, that can be processed into imagery of Earth’s surface.) No new spending is authorized by this bill.

Review – FAA Publishes cUAS Coordination ICR Notice – 2-13-26

On February 13^th, 2026, the DOT’s Federal Aviation Administration (FAA) published a new information collection request notice in the Federal Register (91 FR 6976-6977) on “FAA Request Form for CUAS Coordination”. The proposed collection would support requirements for federal agencies and State, local, and tribal and territorial law enforcement agencies to coordinate with the FAA before conducting counter UAS operations. The notice reports that the FAA expects 100 coordination requests annually with a 100-hour annual burden estimate.

The notice explains that:

“Secretary of Defense, Secretary of the Attorney General, the Secretary of Energy, State Local, Tribal, and Territorial Law Enforcement (SLTT) must coordinate with the Secretary of Transportation for certain Title 18 protections under 10 U.S.C. 130i, 6 U.S.C. 124n, and 50 U.S.C. 2661 authorities respectively. This data collection supports these laws.”

Public Comments

The FAA is soliciting public comments on this ICR notice. Comments may be submitted via the ‘Submit Public Comment’ button at the top of this Federal Register page. Comments should be submitted by March 3^rd, 2026.

 

For more details this ICR notice, including discussion of the administrative problems with this ICR notice, as well as a discussion of the cUAS coordination requirements of 6 USC 124n, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/faa-publishes-cuas-coordination-icr - subscription requirements.

Review – Committee Hearings – Week of 2-22-26

With both the House and Senate back in Washington, and with snow expected today, there is a relatively light hearing schedule. There are no hearings currently scheduled of specific interest here. Tuesday night is the State of the Union address by the President. The Senate will be having periodic (probably daily) cloture votes on HR 7147, the DHS spending bill; still no deal in sight there. The House has a short list (6) of bills that will be considered under the suspension of the rules process including one bill under Space Geek coverage here.

 

For more information on legislation and SOTU, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/committee-hearings-week-of-2-22-26 - subscription required.

Short Takes – 2-22-26

Trump signals new tariffs plan. Here's how Section 122 works. Axios.com article. Pull quote: “The global break from President Trump's tariffs will only be temporary. For months, top Trump officials said they had a "Plan B" if the highest court blocked their signature economic policy — which could leave hefty import taxes on foreign consumer goods essentially intact.”

A high-stakes State of the Union just got harder for Trump. Politico.com article. Pull quote: “Economic growth is flagging. U.S. military assets are massing in the waters around Iran in anticipation of a potential strike that many in the president’s base find odious. A major government agency is shut down over an immigration standoff with Democrats sparked after federal agents killed two U.S. citizens. “Make America Healthy Again” activists are furious over Trump’s order boosting domestic production of the herbicide glyphosate. The scandal surrounding Jeffrey Epstein, the late convicted sex offender, continues to swirl.”

ICS Cybersecurity in 2026: Vulnerabilities and the Path Forward. Forescout.com blog post. Pull quote: “The number of OT/ICS vulnerabilities isn’t the only thing growing. They are also becoming more severe. The average CVSS score of advisories has been trending upwards (see below). Back in 2010, the average was 6.44, classified as medium severity. In 2024, the average crossed 8.0 for the first time and it remained there in 2025.”

Campus vaccine strategies put to test by rising measles cases. TheHill.com article. Pull quote: ““Academic institutions tend to be environments where infectious diseases can quickly spread. In one large classroom, many dozens of students can be confined in close spaces for prolonged periods of time. Under those conditions, even a single measles case is highly likely to spread widely across the campus, as students also live in close proximity with roommates in dorms and apartments,” Gostin said.”

How uncrewed narco subs could transform the Colombian drug trade. TechnologyReview.com article. Pull quote: “Analysts don’t think uncrewed narco subs will reshape the global drug trade, despite the technological leap. Trafficking organizations will still hedge their bets across those three variables, hiding cocaine in shipping containers, dissolving it into liquids and paints, racing it north in fast boats. “I don’t think this is revolutionary,” Shuldiner says. “But it’s a great example of how resilient cocaine traffickers are, and how they’re continuously one step ahead of authorities.”” What about narco terrorists shipping IED semisubmersibles?

Chemical Weapons by Violent Non-State Actors in Combat. SmallWarsJournal.com commentary. Pull quote: “While the use of chemical weapons by non-state actors in combat is a relatively new phenomenon, the examples of the LTTE and IS display several commonalities that may occur in future conflicts. Modern militaries should recognize and prepare for these risks, particularly in counterinsurgency operations. Chemical weapons deployed by similar organizations are likely to be crude and small-scale, deployed through explosives, primitive projectiles, or even wind dispersal, although there is a possibility of future drone use. Ultimately, it is likely that the psychological impact of these weapons will far outweigh any tactical advantage that they may confer.”

The scientist using AI to hunt for antibiotics just about everywhere. TechnologyReview.com article. Pull quote: “But de la Fuente is using artificial intelligence to bring about a different future. His team at the University of Pennsylvania is training AI tools to search genomes far and deep for peptides with antibiotic properties. His vision is to assemble those peptides—molecules made of up to 50 amino acids linked together—into various configurations, including some never seen in nature. The results, he hopes, could defend the body against microbes that withstand traditional treatments.”

Backlog List

• Empower Biomed Engineers with Smarter Medical Device Intelligence,

• A new diabetes treatment could free people from insulin injections,

• Why Some Doctors Say There Are Cancers That Shouldn’t Be Treated,

• Apple Supplier Hit by Cyberattack, Manufacturing Data at Risk,

• ‘Can You Print a House?’: God, Robots and the U.S. Housing Crisis,

• Here's Where Measles Case Counts Are Highest,

• The Nontoxic Cleaner That Kills Germs Better Than Bleach—And You Can Use It on Your Skin,

• Stunning Antarctic Sea Creatures Discovered after Iceberg Breaks Away,

• The Invisible Toll of Bird Flu on Wildlife, and

• Defining WMD for Policy Issues.

Review – Public ICS Disclosures – Week of 2-14-26 – Part 2

For Part 2 we have another set of bulk vendor disclosures from Splunk (11). We have three additional vendor disclosures from Broadcom, and Supermicro (2). There are six vendor updates from Broadcom (2), HP (2), and HPE (2). There is also a researcher reports for vulnerabilities in products from OpenCFD. Finally, we have two exploits for products from FortiGuard and Splunk.

Bulk Vendor Disclosures – Splunk

• Third-Party Package Updates in Splunk DB Connect - February 2026,

• Third-Party Package Updates in Splunk Enterprise - February 2026,

• Third-Party Package Updates in Splunk Universal Forwarder - February 2026,

• Sensitive Information Disclosure in ''_internal'' index in Splunk Enterprise,

• Local Privilege Escalation in Splunk Enterprise for Windows through Python Module Search Path,

• Sensitive Information Disclosure in "_internal" index in Splunk Enterprise,

• Improper Access Control in Splunk Monitoring Console App,

• Local Privilege Escalation (LPE) in Splunk Enterprise for Windows through DLL Search‑Order Hijacking,

•Client-Side Denial of Service (DoS) through ''/splunkd/raw/services/authentication/ users/username'' REST API endpoint in Splunk Enterprise,

• Sensitive Information Disclosure in "_internal" index in Splunk Enterprise,

• Risky Commands Safeguards Bypass through preloaded Data Models due to Path Traversal vulnerability in Splunk Enterprise,

Advisories

Broadcom Advisory - Broadcom published an advisory that discusses an improper use of invalid use of special elements vulnerability in Brocade ASC-Gateway OVA.

Supermicro Advisory #1 - Supermicro published an advisory that discusses 19 vulnerabilities in multiple Supermicro products.

Supermicro Advisory #2 - Supermicro published an advisory that discusses the end-of-life Microsoft Secure Boot CA 2011 that affects multiple Supermicro products.

Updates

Broadcom Update #1 - Broadcom published an update for their Brocade ASCG advisory that was originally published on January 7th, 2025, and most recently updated on January 27^th, 2026.

Broadcom Update #2 - Broadcom published an update for their Brocade SANnav advisory that was originally published on October 14^th, 2024, and most recently updated on July 8^th, 2025.

HP Update #1 - HP published an update for their NVIDIA GPU Display Driver advisory that was originally published on September 25^th, 2025, and most recently updated on December 11^th, 2025.

HP Update #2 - HP published an update for their Intel Graphics Software advisory that was originally published on November 11^th, 2025.

HPE Update #1 - HPE published an update for their StoreEasy Servers advisory that was originally published on February 11^th, 2026.

HPE Update #2 - HPE published an update for their ProLiant AMD DL/XL Servers advisory that was originally published on February 10^th, 2026.

Researcher Reports

OpenCFD Report - Cisco Talos published a report that describes a code injection vulnerability in the OpenCFD OpenFOAM simulation file.

Exploits

FortiGuard Exploit - Indoushka published an exploit for an exposure of sensitive information to an unauthorized actor vulnerability in the FortiGuard FortiOS.

Splunk Exploit - Indoushka published an exploit for a code injection vulnerability in the Splunk Enterprise product.

 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-8f7 - subscription required.

Chemical Incident Reporting – Week of 2-14-26

NOTE: See here for series background.

TWITTER: Chemical Incident Reporting – Week of 2-14-26 –

Janesville, WI – 2-12-26

Local News Report: Here, here, here, and here.

There was a steam explosion at a food processing facility. Two people were transported to a hospital with burns, one was sent onward to a burn unit. No reports yet on the amount of damages at the facility.

CSB reportable.

Alington, VT– 2-15-26

Local News Report: Here, here, here, and here.

There was a fuel tanker rollover accident with a release of fuel into a local stream. Responders dammed the stream so that the spilled fuel could be recovered. The driver received minor injuries.

Not CSB reportable, this was a transportation related incident.

Fairfield, OH – 2-17-26

Local News Report: Here, here, here, and here.

There was an explosion and fire at a food treatment facility. One worker was killed and two were transported to local hospitals. No reports yet on the amount of damages at the facility.

CSB reportable.

Toledo, OH – 2-20-26

Local News Report: Here, here, here, and here.

There was an anhydrous ammonia leak from a refrigeration system at a food processing facility. The facility was evacuated and a shelter-in-place order was put in place for the surrounding area. No injuries or damages were reported.

Not CSB reportable.

Review – Bills Introduced – 2-20-26

Yesterday, with the House meeting in pro forma session, there were 41 bills introduced. One of those bills will receive additional coverage in this blog:

HR 7625 To direct the Comptroller General of the United States to conduct a review of the budget, resources, and capabilities of the Coast Guard as the co-Sector Risk Management Agency for the marine transportation system. McDowell, Addison P. [Rep.-R-NC-6]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention in passing about a bill that would provide individuals tax credits for the recently vacated presidential tariffs, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-2-20-26 - subscription required.

Review – Public ICS Disclosures – Week of 2-14-26 – Part 1

This was a moderately busy disclosure week. For Part 1 we have bulk vendor disclosures from HPE (6). We have 12 additional vendor disclosures from Arista, Broadcom (2), B&R Automation, Dassault Systems (4), Hitachi, HP, Philips, and Sick.

Bulk Vendor Disclosures – HPE

• HPESBHF04864 rev.1 - Certain HPE SimpiVity Servers Using Certain Intel Processors, INTEL-SA-01244, 2025.2 IPU, Intel Processor Advisory, Local Denial of Service Vulnerability,

• HPESBNW04983 rev.1 - HPE Telco Service Orchestrator software, Prototype Pollution Vulnerability,

• HPESBHF04967 rev.1 - Certain HPE SimpliVity Servers Using Certain Intel Processor BIOS, INTEL-SA-01234, 2025.3 IPU, UEFI Reference Firmware Advisory., Multiple Vulnerabilities,

• HPESBNW05011 rev.1 - Telco Service Activator, Improper Input Validation,

• HPESBNW05012 rev.1 - Local Privilege Escalation Vulnerability in HPE Aruba Networking ClearPass Policy Manager (CPPM) OnGuard Software for Linux,

• HPESBNW04998 rev.1 - Prototype Pollution Vulnerability in HPE Telco Network Function Virtualization Orchestrator

Advisories

Arista Advisory - Arista published an advisory that describes an operation on a resource after expiration or release vulnerability on multiple platforms running their EOS software.

Broadcom Advisory #1 - Broadcom published an advisory that discusses an improper neutralization of a NULL byte or NUL character vulnerability in their Brocade SANnav base OS.

Broadcom Advisory #2 - Broadcom published an advisory that discusses an out-of-bounds write vulnerability in their Brocade SANnav OVA products.

B&R Advisory - B&R published an advisory that discusses 25 vulnerabilities in their Automation Studio product.

Dassault Advisory #1 - Dassault published an advisory that describes a cross-site scripting vulnerability in their ENOVIAvpm Web Access product.

Dassault Advisory #2 - Dassault published an advisory that describes an out-of-bounds write vulnerability in their EPRT file reading procedure in SOLIDWORKS eDrawings.

Dassault Advisory #3 - Dassault published an advisory that describes an out-of-bounds read vulnerability in their EPRT file reading procedure in SOLIDWORKS eDrawings.

Dassault Advisory #4 - Dassault published an advisory that describes a use of uninitialized variable in their EPRT file reading procedure in SOLIDWORKS eDrawings.

Hitachi Advisory - Hitachi published an advisory that discusses 72 vulnerabilities in their Disk Array Systems. These are third-party (Microsoft) vulnerabilities.

HP Advisory - HP published an advisory that describes an exposure of sensitive information to an unauthorized actor vulnerability in their Samsung MultiXpress Multifunction Printers.

Philips Advisory - Philips published an advisory that discusses a Google Chrome use after free vulnerability.

Sick Advisory - Sick published an advisory that discusses two Eclipse Cyclone DDS vulnerabilities.

 

For more information on these disclosures, including links to 3^rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-fb5 - subscription required.

Chemical Transportation Incidents – Week of 1-17-26

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

NOTE: PHMSA resumed making their database publicly searchable on February 17^th, 2026.

Incidents Summary

• Number of incidents – 387 (349 highway, 36 air, 1 rail, 1 water)

• Serious incidents – 2 (0 Bulk release, 1 evacuation, 1 injury, 0 death, 0 major artery closed, 3 fire/explosion, 42 no release)

• Largest container involved – 4,378-gcf DOT 112J340W Railcar {Liquefied Petroleum Gas} Undescribed leak.

• Largest amount spilled – 55-gal Plastic Drum {Corrosive Liquids, N.O.S.} Other container fell on plastic drum.

• Total amount reported spilled in all incidents – 676.2-gal

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Heptanes - Clear colorless liquids with a petroleum-like odor. Flash point 25°F. Less dense than water and insoluble in water. Vapors heavier than air. (Source: CameoChemicals.NOAA.gov).

 

Short Takes – 2-20-26 – Federal Register Edition

Notice of Request for Extension of Approval of an Information Collection; Emergency Management Response System. Federal Register USDA/APHIS 60-day IUCR renewal – Summary: “When a potential foreign animal disease incident is reported, APHIS or State animal health officials dispatch a foreign animal disease veterinary diagnostician to the premises of the reported incident to conduct an investigation. The diagnostician obtains vital epidemiological data by conducting field investigations, including sample collection, and by interviewing the owner or manager of the premises being investigated. These important data, submitted electronically by the diagnostician into EMRS, include such items as the purpose of the diagnostician's visit and suspected disease, type of operation on the premises, the number and type of animals on the premises, the number of sick or dead animals on the premises, the results of physical examinations of affected animals and necropsy examinations, vaccination information on the animals in the herd or flock, biosecurity practices at the site, whether any animals were recently moved out of the herd or flock, whether any new animals were recently introduced into the herd or flock, the number and kinds of test samples taken, and detailed geographic data concerning the premises location.”

Pipeline Safety: Incident Notifications to the National Response Center. Federal Register PHMSA issuance of advisory bulletin. Summary: “PHMSA is issuing this advisory bulletin to remind operators of gas pipelines, underground natural gas storage (UNGS) facilities, and liquefied natural gas (LNG) facilities of their obligation to report incidents in accordance with PHMSA's incident reporting requirements. This advisory bulletin addresses a safety recommendation [link added] that the National Transportation Safety Board (NTSB) issued to PHMSA in response to a fatal incident that occurred on a gas distribution system in February 2018.”

Notice of Availability of the Final Tiered Environmental Assessment and Finding of No Significant Impact/Record of Decision for Updates to Airspace Closures for Additional Launch Trajectories and Starship Boca Chica Landings of the SpaceX Starship-Super Heavy Vehicle at the SpaceX Boca Chica Launch Site in Cameron County, Texas. Federal Register FAA notice of availability. Summary: “In accordance with the National Environmental Policy Act of 1969, as amended (NEPA) and FAA Order 1050.1G, FAA National Environmental Policy Act Implementing Procedures, the FAA is announcing the availability of the Final Tiered Environmental Assessment and Finding of No Significant Impact/Record of Decision for Updates to Airspace Closures for Additional Launch Trajectories and Starship Boca Chica Landings of the SpaceX Starship-Super Heavy Vehicle at the SpaceX Boca Chica Launch Site in Cameron County, Texas (Final Tiered EA and FONSI/ROD).”

Extension of Postponement of Effectiveness for Certain Provisions of Trichloroethylene (TCE); Regulation Under the Toxic Substances Control Act (TSCA). Federal Register EPA extension of postponement of effectiveness. Summary: “The Environmental Protection Agency (EPA or Agency) is extending the postponement of the effectiveness of certain regulatory provisions of the final rule entitled “Trichloroethylene (TCE); Regulation Under the Toxic Substances Control Act (TSCA)” for an additional 90 days. Specifically, this postponement applies to the conditions imposed on the uses with TSCA section 6(g) exemptions.”

OMB Declines Generic CDC Traveler Screening ICR Approval

 Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had disapproved an information collection request (ICR) from the Centers for Disease Control (CDC) on “[NCZEID] Traveler Risk Assessment and Management Activities During Disease Outbreaks”. The 60-day ICR notice was published on June 16^th, 2025. The 30-day ICR notice was published on October 2^nd, 2025.

According to the discussion in the 60-day ICR notice:

“Disease outbreaks do not occur at regular intervals, which makes it difficult to estimate how often information collection will be necessary. The purpose of this Generic ICR is to aid in CDC's responsibility to ensure the successful implementation of traveler management in an efficient and timely manner. DGMH intends use this Generic ICR in the event of a disease outbreak that would necessitate the public health assessment and/or monitoring of travelers arriving in the U.S. Although it is possible to anticipate some broad categories of information that would need to be collected, (e.g., potential exposures, symptoms, contact information, etc.), each response is unique and requires flexibility in terms of the specific information collection tool in each instance. Data collection instruments and methods must be rapidly created and implemented to direct appropriate public health action. Often specific questions will change, or new questions will evolve with each disease outbreak.”

In disapproving the proposed generic ICR, OIRA explained:

“Generics are generally voluntary, low-burden (based on a consideration of total burden, total respondents, or burden per respondent), and uncontroversial, thus the collections proposed do not seem appropriate for a generic clearance. CDC is welcome to continue to seek emergency clearance as needed during disease outbreaks.”

I suspect that the disapproval of this ICR is more a response to the problems associated with the management of the COVID epidemic than purely a purely ICR program management decision. While the COVID response should inform a more effective response to the next pandemic, this programmatic response from OIRA rejects that intent.