HR 8029 Introduced – FY 2026 DHS Spending

Last week Rep Ciscomani (R,AZ) introduced HR 8029, the Pay Our Homeland Defenders Act. This bill would provide for spending for the Department of Homeland Security through September 30^th, 2026. For the most part this bill is the same as HR 7147, the Department of Homeland Security Appropriations Act, 2026, that is still being ‘considered’ in the Senate.

One provision from HR 7147 is not found in this new bill, §554, Repeal of Senate Notification Requirements Relating to Legal Process on Disclosures of Senate Data. The same provision was included in HR 7148 {§105, Division H}, the last FY 2026 minibus spending bill that was passed in February.

HR 8029 includes the actual text of the spending bill as Division A of the bill. Division B, Further Additional Continuing Appropriations Act, 2026, addresses the period of no funding since February 13^th, 2026. It provides the legal language authorizing back pay for DHS employees, and other obligations made by the Department during that period.

The House Rules Committee is scheduled to meet tomorrow to formulate the rule for the consideration of this bill.

Review – CSB Updates Accidental Release Reporting Data – 3-1-26

Last week the CSB updated their published list of reported chemical release incidents. They added 19 new incidents that occurred since the previous version was published in January 2026. These are not incidents that the CSB is investigating, these are incidents that were reported to the CSB under their Accidental Release Reporting rules (40 CFR 1604) through March 1^st, 2026.

The table below shows the top five states based upon the number of reported incidents since the December update was published. In this case, with the short time frame since the last update, these were the only states that had reported incident.

For more information on the updated incident reporting data, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-accidental-release-reporting-b39 - subscription required.

Forced Instant Tank Ignition

There is an interesting post over on LinkedIn where the author, Valerii Ivanov, introduces a new industrial safety term ‘forced instant tank ignition’. He uses this term to describe the type of conflagration that is increasingly being seen in the Persian Gulf region; the catastrophic failure and near instantaneous ignition of large petroleum product storage tanks caused by drone and missile strikes.

Ivanov makes the point that chemical safety programs are not equipped to protect facilities from these types of incidents. Tank failure sensors and fire suppression systems have not been designed to respond to the scope and speed of these military conflict-initiated incidents.

To be fair, safety programs have enough problems dealing with neglect, equipment failures, and human mistakes. Asking safety managers to deal with military strikes is certainly going beyond the scope of their training and fiscal support. Having said that, the current Iranian contretemps show that attacking critical industrial chemical facilities is a cheap route to effective asymmetric warfare with an impact well beyond the cost of the attack.

Ivanov points to investigating and implementing fire suppression systems that are capable of dealing with this type of instantaneous conflagration. While that would limit the effects of such attacks, safety engineering teaches that preventing incidents is more cost effective than mitigating their effects. Protecting chemical facilities from military scale drone and missile attacks is beyond the capabilities of facility security forces and requires a high-level look at the political and military calculus of point defense operations.

Smaller scale drone (both air and sea) attacks by paramilitary and terrorist forces, are certain to see an upturn in the number and effectiveness of attacks on chemical facilities after seeing their effectiveness clearly demonstrated. Facility security forces are almost certainly going to be called upon to conduct defense against these smaller scale attacks, even if government regulations continue to ignore the need for local counter drone operations.

Short Takes – 3-21-26 – Federal Register Edition

Clearance of Renewed Approval of Information Collection: Human Space Flight Requirements for Crew/Space Flight Participants. Federal Register FAA 60-day ICR renewal notice. Summary: “The collection involves information demonstrating that a launch or reentry operation involving human participants will meet the risk criteria and requirement to ensure public safety. The FAA has established requirements for human space flight crew and space flight participants as required by the Commercial Space Launch Amendments Act of 2004. On December 15, 2006, the FAA published a final rule (71 FR 75616) which established requirements for crew qualifications, training and notification, and training and informed consent requirements for space flight participants. The requirements were designed to achieve public safety and to notify participants of the risks they face from launch or reentry.”

NASA Front Door. Federal Register NASA 60-day ICR renewal notice. Summary: “The NASA Front Door (NFD) is an online/web-based tool that will serve as a centralized digital hub to help facilitate engagement between individuals, organizations, and the workforce of NASA, providing personalized support, guidance, and efficient access to NASA's extensive programs, opportunities, resources, and expertise. The information collection will consist of general contact information, interest/intake information and when appropriate, demographic information as part of registration profile. The information will be reviewed by NASA representatives to route individuals, organizations and the workforce of NASA to relevant NASA services, opportunities, resources, and/or expertise.”

Unmanned Aircraft System (UAS) Integration at Airports and Necessary Planning, Design, and Physical Infrastructure Needs. Federal Register – FAA 30-day new ICR notice. Summary: “The collection involves conducting research in the form of written responses or interviews with aviation stakeholders (e.g., airport/droneport operators, private entities, original equipment manufacturers, unmanned aircraft system (UAS) industry vendors, academia, representatives of the military, aviation stakeholders, etc.) to catalog current and planned droneport planning, design, and infrastructure needs, as well as find out which airports are integrating UAS into the airport environment. During each interview, the FAA will ask the stakeholders a specific set of questions, and if necessary, fact-specific follow-up questions will be posed to clarify and enhance the respondent's answers to the specified set of questions. If preferred, stakeholders will be able to provide written responses in lieu of an interview.”

Pipeline Safety: Request for Special Permit; Sable Offshore Corp. Federal Register PHMSA special permit comment extension. Summary: “On February 24, 2026, PHMSA published a notice to solicit public comment on a request for a special permit submitted by Sable Offshore Corp. (Sable). The comment period is currently set to expire on March 26, 2026. PHMSA is issuing this notice to extend the comment period until 14 days from the date of this notice to give the public time to review the proposed special permit in light of recent developments. At the conclusion of the extended comment period, PHMSA will review the comments received from this notice as part of its evaluation to grant or deny the special permit request.”

New Cosponsor Added for S 2938 – AI Risk Evaluation

Earlier this week, Sen Blackburn (R,TN) was added as a cosponsor to S 2938, the Artificial Intelligence Risk Evaluation Act of 2025. She is a member of the Senate Commerce, Science, and Transportation Committee, to which this bill was assigned for consideration. Since Backburn is a subcommittee chair, there may now be sufficient influence to see the bill considered in Committee. Still AI industry’s opposition to the provisions of the bill may stop the bill from moving forward.

The bill would require DOE to establish an Advanced Artificial Intelligence Evaluation Program, and each year submit to Congress a detailed recommendation for Federal oversight of advanced artificial intelligence systems. No new funding is provided in the bill.

Chemical Incident Reporting – Week of 3-14-26

Chemical Incident Reporting – Week of 3-14-26

NOTE: See here for series background.

Dorris, CA – 3-17-26

Local News Report: Here, here, and here.

There was a paraquat dichloride spill on a roadway when a drum fell off of a truck. Twelve people sought medical attention.

Not CSB reportable. Transportation related incident.

Pueblo, CO  – 3-17-26

Local News Report: Here, here, and here.

There was a tanker rollover accident that resulted in a diesel fuel spill. The driver suffered minor injuries. Freeway was shutdown in both directions while cleanup was completed.

Not CSB reportable. Transportation related incident.

Augusta, GA – 3-18-26

Local News Report: Here, here, and here.

There was an unidentified chemical (ammonia odor) spill on a roadway. The road was closed during the cleanup. No injuries were reported.

Not CSB reportable. Transportation related incident.

Richmond, TX – 3-18-26

Local News Report: Here, here, and here.

There was a train derailment with two leaking ethanol railcars. A total of 23 cars derailed. No injuries reported. Multiple crossing were blocked.

Not CSB reportable. Transportation related incident.

Janesville, WI– 3-19-26

Local News Report: Here, here, and here.

There was an equipment overpressure explosion at a food processing facilities. Two employees with ‘life threatening’ injuries airlifted to hospital.

CSB reportable.

Denver, CO – 3-19-26

Local News Report: Here, here, and here.

There was an explosion and fire at a gas station, possibly caused by a natural gas leak. Two people were transported to the hospital with blast and burn injuries. The building was severely damaged.

Probable CSB reportable.

Review – Bills Introduced – 3-20-26

Yesterday, with the Senate in Washington and the House meeting in pro forma session, there were 12 bills introduced. One of those bills will receive additional coverage in this blog:

HR 8029 Pay Our Homeland Defenders Act Ciscomani, Juan [Rep.-R-AZ-6]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-3-20-26  - subscription required.

Review – Public ICS Disclosures – Week of 3-14-26

This is a relatively light disclosure week. We have bulk vendor disclosures from QNAP (5). We have additional 10 vendor disclosures from Dassault Systems, Dell, HPE (3), Philips, Pheonix Contact, Rockwell Automation, Splunk, and TP-Link. We have bulk vendor updates from HP (6). There are two additional vendor updates from Dell and Siemens. Finally, we have 11 researcher reports for products from Hikvision and TP-Link (10).

Bulk Vendor Disclosures – QNAP

• Vulnerability in QVR Pro, 

• Multiple Vulnerabilities in QuNetSwitch (ADRA NDR),

• Vulnerability in Media Streaming Add-on,  

• Multiple Vulnerabilities in QuRouter (PWN2OWN 2025), and

• Vulnerability in QuFTP Service.

Advisories

Dassault Advisory - Dassault published an advisory that describes a code injection vulnerability in their SOLIDWORKS Desktop.

Dell Advisory - Dell published an advisory that describes three vulnerabilities in their ThinOS 10 product.

HPE Advisory #1 - HPE published an advisory that discusses four vulnerabilities in their B-Series SANnav Management Portal product.

HPE Advisory #2 - HPE published an advisory that discusses seven vulnerabilities in their SAN Switches.

HPE Advisory #3 - HPE published an advisory that discusses a stack-based buffer overflow vulnerability in their Telco Service Orchestrator.

Philips Advisory - Philips published an advisory that discussed a Java security library vulnerability.

Pheonix Contact Advisory - Pheonix Contact published an advisory that discusses eight vulnerabilities in their FL SWITCH product lines.

Rockwell Advisory - Rockwell published an advisory that discusses a potential threat actor that is actively targeting Rockwell Automation controllers.

Splunk Advisory - Splunk published an advisory that discusses an improper check for unusual or exceptional conditions vulnerability in their Universal Forwarder product.

TP-Link Advisory - TP-Link published an advisory that describes two vulnerabilities in their TP-Link Archer AX53 product.

Bulk Vendor Updates – HP

• Intel NPU Driver February 2026 Security Update,

• Intel Chipset Firmware August 2025 Security Update,

• Intel NPU Driver November 2025 Security Update,

• Intel Processor Stream Cache August 2025 Security Update,

• Intel Chipset Firmware February 2026 Security Update,

• Intel Graphics Software August 2025 Security Update

Updates

Dell Update - Dell published an update for their Wyse Management Suite advisory that was originally published on February 24^th, 2026.

Siemens Update - Siemens published an update for their SIMATIC S7-1500 advisory that was originally published on March 10^th, 2026, and most recently updated on March 13^th, 2026.

Researcher Reports

Hikvision Report - Cisco Talos published a report that describes a stack-based buffer overflow vulnerability (with proof-of-concept code) in the Hikvision Ultra Face Recognition Terminal.

TP-Link Reports - Cisco Talos published ten reports describing vulnerabilities in the TP-Link Archer AX53 AX3000 Dual Band Gigabit Wi-Fi 6 Router.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-632 - subscription required. 

Review – Bills Introduced – 3-19-26

Yesterday, with both the House and Senate in session, there were 69 bills introduced. One of those bills will receive additional coverage in this blog:

HR 7996 To amend the Homeland Security Act of 2002 to clarify that utility line technicians qualify as emergency response providers. Higgins, Clay [Rep.-R-LA-3] 

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention-in-passing of a bill requiring the reporting of railroad caused brush fires, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-3-19-26 - subscription required.

Chemical Transportation Incidents – Week of 2-14-26

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 420 (388 highway, 28 air, 4 rail, 0 water)

• Serious incidents – 1 (1 Bulk release, 0 evacuation, 0 injury, 0 death, 0 major artery closed, 1 fire/explosion, 39 no release)

• Largest container involved – 30,220-gal DOT 117R100W Railcar {Gasoline Includes Gasoline Mixed with Ethyl Alcohol, With Not More Than 10% Alcohol} The liquid and vapor valves were left open and caps were not adequately taped.

• Largest amount spilled – 147-gal Tank Truck {Diesel Fuel} Operator error during unloading at fuel station.

• Total amount reported spilled in all incidents – 1214.5-gal

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: 1,1-Difluoroethane: 1,1-Difluoroethane is colorless, odorless gas shipped as a liquefied gas under its vapor pressure. Contact with the liquid can cause frostbite. It is easily ignited. Its vapors are heavier than air and a flame can travel back to the source of leak very easily. This leak can be either a liquid or vapor leak. It can asphyxiate by the displacement of air. Under prolonged exposure to fire or heat the containers may rupture violently and rocket. (Source: CameoChemicals.NOAA.gov).

 

INSERT UN 2468 Placard

BIS Sends EAR Revision Final Rule to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the DOC’s Bureau of Industry and Security (BIS) on “Revisions to the EAR” [Export Administration Regulations]. This would be (as is frequently the case with BIS regulatory actions) a direct final rule.

According to the Spring 2025 Unified Agenda entry for this rulemaking:

“In this rule, the Bureau of Industry and Security (BIS) amends the Export Administration Regulations (EAR).”

That is the entire abstract for this rulemaking. Needless to say, this is a less than helpful description of the purpose and scope of the rulemaking. It is hard to tell if there will be any detailed coverage here if/when this is published in the Federal Register.

Review – 8 Advisories Published – 3-19-26

Today CISA’s NCCIC-ICS published control system security advisories for products from Automated Logic, IGL-Technologies, CTEK, Mitsubishi, and Schneider (4).

Advisories

Automated Logic Advisory - This advisory describes three vulnerabilities in the Automated Logic WebCTRL Premium Server.

IGL-Technologies Advisory - This advisory describes four vulnerabilities in the IGL-Technologies eParking.fi.

CTEK Advisory - This advisory describes four vulnerabilities in the CTEK Chargeportal.

NOTE: I briefly discussed Sarieddine/Sayed’s research into vehicle charging systems back on February 26^th, 2026. It is interesting that continuing reports into new systems all show the same four vulnerabilities. Does this mean that all of these systems are using the same core technology?

Mitsubishi Advisory - This advisory describes an improper validation of specified index, position, or offset vulnerability in the Mitsubishi CNC Series products.

Schneider Advisory #1 - This advisory describes a deserialization of untrusted data vulnerability in the Schneider EcoStruxure PME and EPO products.

NOTE: I briefly mentioned this vulnerability on March 16^th, 2026.

Schneider Advisory #2 - This advisory describes code injection vulnerability in the Schneider EcoStruxure Automation Expert.

NOTE: I briefly mentioned this vulnerability on March 16^th, 2026.

Schneider Advisory #3 - This advisory describes a cross-site scripting vulnerability in the Schneider Modicon Controllers.

NOTE: I briefly mentioned this vulnerability on March 16^th, 2026.

 

For more information on these advisories, including another ‘missing advisories’ discussion, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/8-advisories-published-3-19-26-552  - subscription required.

Short Takes – 3-19-26 – Federal Register Edition

Nominations for Substances To Be Evaluated for Toxicological Profile Development. Federal Register ATSDR notice with comment period. Summary: “The Agency for Toxic Substances and Disease Registry (ATSDR), within the Department of Health and Human Services (HHS), announces that it is soliciting nominations of substances to be evaluated for an upcoming set of toxicological profiles. ATSDR is opening a docket for the public to submit nominations and provide comments on which toxicological profiles are developed next. Members of the public, government agencies, or private organizations may comment on which substances they are concerned about so that ATSDR may take this information into consideration when developing future toxicological profiles.”

National Emission Standards for Hazardous Air Pollutants: Ethylene Oxide Emissions Standards for Sterilization Facilities Residual Risk and Technology Review Reconsideration. Federal Register EPA reconsideration of final rule NPRM. Summary: “Based on its reconsideration of the RTR in the 2024 Final Rule, the EPA is proposing to amend the Commercial Sterilization Facilities NESHAP. The amendments would rescind the risk based standards, revise the standard for new aeration room vents that resulted from the technology review, revise the compliance demonstration requirements, and rescind a requirement related to permanent total enclosure (PTE). This proposal also includes technical corrections and clarifications to the Commercial Sterilization Facilities NESHAP and Performance Specification 19 to address erroneous cross-references, omissions of text, and typographical errors in the regulatory text that the EPA has identified after publication of the 2024 Final Rule.”

Internet-Based Telecommunications Relay Service Modernization. Federal Register FCC notice of proposed rulemaking. Summary: “The Federal Communications Commission (Commission) proposes to modernize its telecommunications relay services (TRS) rules and seeks comment on the use of automatic speech recognition (ASR) for speech-to-text conversion and advanced text-to-speech technologies for Internet Protocol (IP) Relay Service; the need for metrics for IP Relay quality; the compatibility of IP Relay with Real-Time Text (RTT) technology; adding captioning functionality to Video Relay Service (VRS) platforms; amending VRS calling rules for calls to U.S. embassies and consulates by U.S. residents while traveling abroad; adjusting VRS call center requirements; streamlining TRS provider certification and user registration processes; updating or eliminating obsolete rules; and closing outdated dockets. With these proposals, the Commission presents targeted reforms that align internet-based TRS with twenty-first century technological advancements in relay services that can better serve the needs of persons with disabilities while securing the viability and enhancing the effectiveness and functional equivalency of internet-based TRS.”

EO 14395 - Establishing the Task Force to Eliminate Fraud. Federal Register.

Short Takes – 3-18-26 – Federal Register Edition

Accepted Means of Compliance for Small Unmanned Aircraft (sUA) Category 2 and Category 3 Operations Over Human Beings; ParaZero Technologies Ltd. Federal Register FAA notice of availability. Summary: “This document announces the acceptance of a means of compliance with FAA regulations for sUA Category 2 and Category 3 operations over human beings. The Administrator finds that ParaZero's “ParaZero Part 107 Operations Over People Means of Compliance,” version 1.5, dated February 4, 2026, provides an acceptable means, but not the only means, of showing compliance with FAA regulations.”

National Emission Standards for Hazardous Air Pollutants: Polyether Polyols Production Industry Review. Federal Register EPA final rule. Summary: “The U.S. Environmental Protection Agency (EPA) is finalizing amendments to the National Emission Standards for Hazardous Air Pollutants (NESHAP) for the Polyether Polyols (PEPO) Production source category (“PEPO NESHAP”) under Clean Air Act (CAA) section 112. Specifically, the EPA is finalizing certain ethylene oxide (EtO)-specific standards pursuant to CAA section 112(d)(6) rather than finalizing the proposed second residual risk review and corresponding amendments pursuant to CAA section 112(f)(2). In addition, the EPA is taking final action addressing certain issues raised in an administrative petition for reconsideration. Lastly, the EPA is finalizing maximum achievable control technology (MACT) standards for certain emission points, work practice standards for certain activities where alternatives are appropriate, performance testing requirements once every five years for certain process vents, and electronic reporting requirements for performance test reports, flare management plans, and periodic reports.” Effective date: March 18^th, 2026.

EO 14391 - Adjusting Certain Delegations Under the Defense Production Act, Federal Register. Federal Register.

EO 14392 - Ensuring Truthful Advertising of Products Claiming To Be Made in America. Federal Register.

EO 14393 - Promoting Access to Mortgage Credit. Federal Register.

EO 14394 - Removing Regulatory Barriers to Affordable Home Construction. Federal Register.

Review – Bills Introduced – 3-17-26

Yesterday, with both the House and Senate in session, there were 53 bills introduced. One of those bills will receive additional coverage in this blog:

S 4127 A bill making continuing appropriations for essential Transportation Security Administration pay and operations during the lapse in appropriations beginning on February 14, 2026, and for other purposes. Rosen, Jacky [Sen.-D-NV]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a brief mention-in-passing of a bill to remove citizenship from individuals supporting terrorism, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-3-17-26-e95 - subscription required.

Review – CSB Updated the Status of 8 Investigation Recommendations – 3-16-26

Yesterday the Chemical Safety Board (CSB) updated their Recent Recommendation Status Updates page, closing two recommendations with acceptable action and one with acceptable alternative actions. These actions left 119 of 1035 recommendations open. Additionally, the CSB updated the open status of four recommendation, noting that the responsible parties had agreed to take the recommended actions. The CSB took all of these actions on March 16^th, 2026. The previous update was published on January 20^th, 2026.

The three recently closed recommendations are:

 

• Chevron Richmond Refinery Fire, 2012-03-I-CA-R23, Governor and Legislature of the State of California,

• Chevron Richmond Refinery Fire, 2012-03-I-CA-R29, American Petroleum Institute (API), and

• Didion Milling Company Explosion and Fire, 2017-07-I-WI-R4, Didion Milling, Inc

 

For more information on the investigation responses, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updated-the-status-of-8-investigation - subscription required.

Review – 4 Advisories and 2 Updates Published – 3-17-26

Today CISA’s NCCIC-ICS published four control system security advisories for products from Siemens, Schneider Electric (2), and CODESYS. They also updated two advisories for products from Schneider and Hitachi Energy.

Advisories

Siemens Advisory This advisory describes four vulnerabilities in the Siemens SICAM SIAPP SDK.

NOTE: I briefly discussed these vulnerabilities on Monday.

Schneider Advisory #1 - This advisory describes a use of hard-coded credentials vulnerability in the Schneider Electric EcoStruxure Data Center Expert.

NOTE: I briefly mentioned this vulnerability on Monday.

Schneider Advisory #2 - This advisory describes an improper check for unusual or exceptional conditions vulnerability in the Schneider SCADAPack and RemoteConnect products.

Updates

Schneider Update - This update provides additional information on the EcoStruxure Power Build Rapsody advisory that was originally published on January 14^th, 2026.

I briefly discussed the Schneider update on March 16^th, 2026.

Hitachi Energy Advisory - This update provides additional information on the Relion 670, 650, SAM600-IO Series advisory that was originally published on June 27^th, 2023.

I briefly mentioned the Hitachi Energy update on February 1^st, 2026.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-and-2-updates-published-40c - subscription required.

CSB Publishes Accurate Energetic Systems Investigation Update 3-16-26

Yesterday the US Chemical Safety Board announced the publication of an update for their investigation of the October 10, 2025, explosions at the Accurate Energetic Systems that killed 16 employees. The report provides an overview of the materials and process involved at Building 602 where the fatal explosion occurred. The report concludes with an outline of the continuing items that the CSB is considering:

Cause or probable cause of the potential initiating event(s),

AES’s explosive safety and process safety management programs,

Equipment design of the kettles used at the AES facility,

Sensitivities of in-process explosive materials, and

Industry guidance for commercial facilities that manufacture explosives.

 

Review – Bills Introduced – 3-17-26

Yesterday, with both the House and Senate in session, There were 32 bills introduced. One of those bills will receive additional coverage in this blog:

HR 7945 To ban the sale of nitrous oxide consumer products, and for other purposes. Mullin, Kevin [Rep.-D-CA-15]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention in passing of a bill to authorize NSF basic biology research finging, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-3-17-26 - subscription required. 

Review – Committee Hearings – Week of 3-15-26

Both the House and Senate will be in Washington this week with a relatively light hearing schedule. Budget and NDAA related hearings are beginning, but this week there are none of specific interest here. There are two hearings of potential interest here; a House hearing on Chinese technology threats and a Senate confirmation hearing for the replacement DHS Secretary. The Senate will continue to try to pass some sort of DHS funding, probably unsuccessfully. The House may attempt to pass a balanced-budget constitutional amendment.

Chinese Technology Threat

On Tuesday the Subcommittee on Cybersecurity and Infrastructure Protection of the House Homeland Security Committee will hold a hearing on: “DeepSeek and Unitree Robotics: Examining the National Security Risks of PRC Artificial Intelligence, Robotics, and Autonomous Technologies and Building a Secure U.S. Technology Base”.

DHS Secretary Hearings

On Thursday the Senate Homeland Security and Governmental Affairs Committee will hold a confirmation hearing on the appointment of Sen Markwayne Mullin to be the Secretary of Homeland Security.

 

For more information on these hearings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/committee-hearings-week-of-3-15-26 - subscription required.

Review – Public ICS Disclosures – Week of 3-7-26 – Part 3

For Part 3 we have an additional bulk vendor disclosure from Schneider Electric (6). There are three additional vendor disclosures from Siemens (2) and Weidmueller. We have bulk vendor updates from Siemens (12). There are also seven vendor updates from FortiGuard (2), HP, Schneider Electric (3), and VMware. Finally, we have three exploits for products from Splunk and WatchGuard (2).

Bulk Vendor Disclosures – Schneider

• Improper Resource Shutdown or Release vulnerability in Multiple Products,

• Improper Neutralization vulnerability in Multiple Products,

• Deserialization of Untrusted Data vulnerability on EcoStruxure™ Foxboro DCS,

• Improper Control of Generation of Code ('Code Injection') vulnerability on EcoStruxure™ Automation Expert,

• Use of Hard-coded Credentials vulnerability in EcoStruxure™ IT Data Center Expert, and

• Deserialization of Untrusted Data vulnerability on Multiple Products.

Advisories

Siemens Advisory #1 - Siemens published an advisory that describes six vulnerabilities in their SICAM SIAPP SDK product.

Siemens Advisory #2 - Siemens published bulletin about misconfiguration in Mendix Applications.

Weidmueller Advisory - CERT-VDE published an advisory that describes four vulnerabilities in the Weidmueller Energy Meter 750-XX.

Bulk Vendor Updates – Siemens

• Missing Server Certificate Validation in IAM Client,

• Multiple Vulnerabilities in Fortigate NGFW Before V7.4.7 on RUGGEDCOM APE1808 Devices,

• Missing Server Certificate Validation in Siemens Advanced Licensing (SALT) Toolkit,

• Data Validation Vulnerability in NX Before V2512,

• Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 Devices,

• Multiple Vulnerabilities in SINEC Security Monitor before V4.9.0,

• DLL Hijacking Vulnerability in Siemens Web Installer used by the Online Software Delivery,

• Multiple Vulnerabilities in COMOS,

• Privilege Escalation Vulnerability in WIBU CodeMeter Runtime Affecting the Desigo CC Product Family and SENTRON Powermanager,

• Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP • MFP V3.1.5,

• Privilege Escalation Vulnerability in SINAMICS Drives, and

• Stored Cross-Site Scripting Vulnerability in SIMATIC S7-1500.

Updates

FortiGuard Update #1 - FortiGuard published an update for their OpenSSL advisory that was originally published on January 30^th, 2026, and most recently updated on March 3^rd, 2026.

FortiGuard Update #2 - FortiGuard published an update for their SSL-VPN Symlink advisory that was originally published on February 10^th, 2026.

HP Update - HP published an update for their Intel NPU Driver advisory that was originally published February 25^th, 2026.

Schneider Update #1 - Schneider published an update for their FlexNet Publisher advisory that was originally published on January 14^th, 2025, and most recently updated on November 11^th, 2025.

Schneider Update #2 - Schneider published an update for their ProLeiT Plant iT advisory that was originally published on January 13^th, 2026.

Schneider Update #3 - Schneider published an update for their EcoStruxure Power Build Rapsody advisory that was originally published on January 13^th, 2026.

VMware Update - Broadcom published an update for their Aria Operations advisory that was originally published on February 24^th, 2026.

Exploits

Splunk Exploit - Indoushka published an exploit for a function call with incorrectly specified argument value vulnerability in the Splunk Enterprise product.

WatchGuard Exploit #1 - Indoushka published an exploit for a default SSH credentials vulnerability.

WatchGuard Exploit #2 - Indoushka published a Metasploit module for a privilege escalation vulnerability in the WatchGuard IKEv2.

 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-795 - subscription required.

Review – Public ICS Disclosures – Week of 3-7-26 – Part 2 -

For Part 2 we have additional 14 vendor disclosures from Delta Electronics, Janitza, Mitsubishi, Moxa (4), NI (2), Palo Alto Networks (3), Philips, and Ruckus. Part 3 is in the works.

Advisories

Delta Advisory - Delta published an advisory that describes two vulnerabilities in their COMMGR 2 product

Janitza Advisory - CERT-VDE published an advisory that describes four vulnerabilities in the Janitza UMG 96RM-E products.

Mitsubishi Advisory - Mitsubishi published an advisory that describes an improper validation of specified index, position, or offset vulnerability in their CNC Series products.

Moxa Advisory #1 - Moxa published an advisory that discusses a GNU argument injection vulnerability.

Moxa Advisory #2 - Moxa published an advisory that discusses three vulnerabilities in their DA Series products.

Moxa Advisory #3 - Moxa published an advisory that discusses three vulnerabilities in their DA Series products.

Moxa Advisory #4 - Moxa published an advisory that discusses an insufficient flow control management vulnerability in their DA Series products.

NI Advisory #1 - NI published an advisory that describes two out-of-bounds write vulnerabilities in their Digilent DASYLab product.

NI Advisory #2 - NI published an advisory that describes two out-of-bounds read vulnerabilities in their Digilent DASYLab product.

PAN Advisory #1 - PAN published an advisory that discusses eight vulnerabilities (one with publicly available exploits and listed in CISA’s KEV catalog) in their Prima Browser product.

PAN Advisory #2 - PAN published an advisory that describes an improper check for unusual or exceptional conditions vulnerability in their Cortex XDR Agent.

PAN Advisory #3 - PAN published an advisory that describes an exposure of sensitive information to an unauthorized control sphere in their Cortex XDR Broker VM product.

Philips Advisory - Philips published an advisory that discusses the Stryker cyberattack.

Ruckus Advisory - Ruckus published an advisory that discusses the AirSnitch vulnerabilities.

 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-194 - subscription required.

Chemical Incident Reporting – Week of 3-7-26

NOTE: See here for series background.

Charleston, TN– 3-6-26

Local News Report: Here, here, and here.

There was a chemical leak and fire at a chemical manufacturing facility. No injuries were reported and the extent of damages has not been discussed.

Not CSB reportable.

Chattanooga, TN – 3-7-26

Local News Report: Here, here, and here.

There was a nitric acid spill from a moving tractor-trailer. No injuries were reported. Freeway off-ramp and local road closed for cleanup.

Not CSB reportable, this is a transportation related incident.

ST James Parish, LA – 3-10-26

Local News Report: Here, here, and here.

There was an unidentified chemical leak from a moving tractor-trailer. No injuries were reported. Two traffic lanes were closed pending cleanup.

Not CSB reportable, this is a transportation related incident.

Pasadena, TX – 3-13-26

Local News Report: Here, here, here, and here.

There was a piping fire at a chemical facility during a flaring event. About 20,000-lbs of n-butane, isobutane and carbon monoxide were released through the flaring system during a tank overpressure relief event. No injuries were reported.

Not CSB reportable.

BIS Withdraws AI Action Plan Final Rule

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that the DOC’s Bureau of Industry and Security (BIS) has withdrawn their submitted final rule on “AI Action Plan Implementation”. The final rule was submitted to OIRA on February 26^th, 2026.

According to the Spring 2025 Unified Agenda entry for this rulemaking:

“The Bureau of Industry and Security (BIS) intends to rescind portions of the revisions and additions implemented by the Framework for Artificial Intelligence Diffusion,” published January 15, 2025. BIS intends to issue a new rule which will provide a more streamlined framework for enabling the secure deployment of advanced U.S. AI technology abroad.”

I am not sure why this final rule was withdrawn, but the Administration’s AI Action Plan is a significant part of its agenda, so I would expect BIS to resubmit a revised final rule, sooner rather than later.

As I noted in my earlier post on this rulemaking, this does not appear to be something that I would expect to cover in any detail, but AI is increasingly touching on cybersecurity and process management, so it is something that I would expect to be mentioning in passing.

Review – Public ICS Disclosures – Week of 3-7-26 – Part 1

This is a busy cyber disclosure week. For Part 1 we have bulk vendor disclosures from FortiGuard (11), and Splunk (13). There are 15 additional vendor disclosures from ABB (2), CODESYS, Eaton, GE Vernova, Hitachi, HMS (2), HP (3), and HPE (4).

Advisories

Bulk Vendor Disclosures – FortiGuard

• Authentication Lockout Bypass via Race Condition,

• Buffer Overflow in LLDP OUI field,  

• Buffer overflow via fgtupdates service,  

• Format string vulnerability in fazsvcd,

• Lack of TLS Certificate Validation during initial SSO Authentication,

• MFA Bypass in GUI,

• OS command injection on vmimages update feature,

• Privilege escalation using undocumented CLI command,

• SQL injection in jsonrpc api,

• XSS in LDAP server option, and

• Shell command limitation bypass by SSH local config overriding.

Bulk Vendor Disclosures – Splunk

• Third-Party Package Updates in Splunk AppDynamics Analytics Agent - March 2026,

• Third-Party Package Updates in Splunk AppDynamics Database Agent - March 2026,

• Third-Party Package Updates in Splunk AppDynamics NodeJS Agent - March 2026,

• Third-Party Package Updates in Splunk AppDynamics Java Agent - March 2026,

• Third-Party Package Updates in Splunk AppDynamics Private Synthetic Agent - March 2026,

• Third-Party Package Updates in Splunk AppDynamics Machine Agent - March 2026,

• Third-Party Package Updates in Splunk AppDynamics On-Premises Enterprise Console - March 2026,

• Third-Party Package Updates in Splunk Enterprise - March 2026,

• Sensitive Information Disclosure in Discover Splunk Observability Cloud app for Splunk Enterprise,

• Sensitive Information Disclosure in MongoClient logging channel in Splunk Enterprise,

• Sensitive Information Disclosure through Improper Access Control in Splunk Enterprise,

• Remote Command Execution (RCE) through the '/splunkd/upload/indexing/preview' REST endpoint in Splunk Enterprise, and

• Stored Cross-Site Scripting (XSS) through Path Traversal in Splunk Enterprise.

ABB Advisory #1 - ABB published an advisory that describes three vulnerabilities in their AWIN Gateways products.

ABB Advisory #2 - ABB published an advisory that discusses an out-of-bounds write vulnerability in their AC500 V3 product.

CODESYS Advisory - CODESYS published an advisory that describes a TOCTOU race condition vulnerability in their Installer product.

Eaton Advisory - Eaton published an advisory that describes a storing passwords in a recoverable format vulnerability in their EasySoft product.

GE Vernova Advisory - GE published a security statement on the US-Iran conflict.

Hitachi Advisory - Hitachi published an advisory that discusses an allocation of resources without limit or throttling vulnerability in their Command Suite product.

HMS Advisory #1 - HMS published an advisory that describes four vulnerabilities in their Ewon Flexy and Ewon Cosy+ gateways.

HMS Advisory #2 - HMS published an advisory that addresses HMS compliance with the EU Radio Equipment Directive 3.3.

HP Advisory #1 - HP published an advisory that discusses six vulnerabilities in multiple HP product lines.

HP Advisory #2 - HP published an advisory that discusses 43 vulnerabilities in their Device Manager product.

HP Advisory #3 - HP published an advisory that discusses two vulnerabilities in multiple HP product lines.

HPE Advisory #1 - HPE published an advisory that discusses an improper handling of values vulnerability in their Compute Scale-up Server 3200 Platform.

HPE Advisory #2 - HPE published an advisory that discusses eight vulnerabilities in multiple server products.

HPE Advisory #3 - HPE published an advisory that discusses a code injection vulnerability in their Telco Intelligent Assurance product.

HPE Advisory #4 - HPE published an advisory that describes five vulnerabilities in their Aruba Networking AOS-CX product.

 

For more information on these disclosures, including links to 3^rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-982 - subscription required.

Review – Bills Introduced – 3-12-26

Yesterday, with just the Senate in Washington and the House meeting in pro forma session, there were 83 bills introduced. Five of those bills will receive additional coverage in this blog:

 

HR 7294 Trucking Security and CCP Disclosure Act of 2026 Stefanik, Elise M. [Rep.-R-NY-21]

S 4073 A bill making continuing appropriations for essential Transportation Security Administration pay and operations during the lapse in appropriations beginning on February 14, 2026, and for other purposes. Rosen, Jacky [Sen.-D-NV] 

S 4074 A bill to make continuing appropriations for essential Cybersecurity and Infrastructure Security Agency pay and operations in the event of a Federal Government shutdown, and for other purposes. Peters, Gary C. [Sen.-D-MI]

S 4075 A bill to make continuing appropriations for Federal Emergency Management Agency pay and operations in the event of a Federal Government shutdown, and for other purposes. Padilla, Alex [Sen.-D-CA]

S 4077 A bill to ensure secure transport of Department of Defense freight, and for other purposes. Cotton, Tom [Sen.-R-AR]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-3-12-26 - subscription required.

Chemical Transportation Incidents – Week of 2-7-26

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 431 (386 highway, 37 air, 5 rail, 3 water)

• Serious incidents – 3 (0 Bulk release,1 evacuation, 1 injury, 0 death, 1 major artery closed, 1 fire/explosion, 34 no release)

• Largest container involved – 30,260-gal DOT 117R100W Railcar {Ethanol and Gasoline Mixture or Ethanol and Motor Spirit Mixture or Ethanol and Petrol Mixture, With More Than 10% Ethanol} Improperly installed bottom outlet valve.

• Largest amount spilled – 100-gal trailer {Diesel Fuel} Overfilled trailer.

• Total amount reported spilled in all incidents – 1001.5-gal

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Cyclohexane: A clear colorless liquid with a petroleum-like odor. Used to make nylon, as a solvent, paint remover, and to make other chemicals. Flash point -4°F. Density 6.5 lb / gal (less than water) and insoluble in water. Vapors heavier than air. (Source: CameoChemicals.NOAA.gov).

 

Review – 6 Advisories and 1 Update Published – 3-12-26

Today CISA’s NCCIC-ICS published six control systems security advisories for products from Inductive Automation, Siemens (4) and Trane. They also updated an advisory for products from Honeywell. Tuesday’s problem of advisories missing from the CISA advisory email continued today with two advisories not being listed.

There were two additional advisories, and 11 updates published by Siemens this week that have not yet been addressed by CISA. I will discuss those this weekend.

Advisories

Inductive Advisory - This advisory describes a deserialization of untrusted data vulnerability in the Inductive Ignition Software.

HELIOX Advisory - This advisory describes an improper restriction of communication channel to intended endpoints vulnerability in the Siemens Heliox EV Chargers.

SIMATIC Advisory - This advisory describes a cross-site scripting vulnerability in the Siemens SIMATIC S7-1500 products.

SIDIS Advisory - This advisory discusses 23 vulnerabilities in the Siemens SIDIS Prime product.

RUGGEDCOM Advisory - This advisory discusses four vulnerabilities in the Siemens RUGGEDCOM APE1808 devices.

Trane Advisory - This advisory describes five vulnerabilities in the Trane Tracer products.

Updates

Honeywell Update - This update provides additional information for the HIB2PI and HDZ Series CCTV Cameras advisory that was originally published on February 17^th, 2026, and most recently updated on February 26^th, 2026.

 

For more information on these advisories, including a discussion about two more ‘missing advisories’, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-and-1-update-published-e8f  - subscription required.