Review – CSB Updated the Status of 10 Investigation Recommendations – 1-20-26

Yesterday the Chemical Safety Board (CSB) updated their Recent Recommendation Status Updates page, closing eight recommendations with acceptable action and one with acceptable alternative actions. These actions left 114 of 1027 recommendations open. Additionally, the CSB updated the open status of one recommendation. The CSB took all of these actions on January 20^th, 2026. The previous update was published on December 5^th, 2025.

The nine recently closed recommendations are:

• Loy Lange Box Company Pressure Vessel Explosion, 2017-04-I-MO-R4, Board of Aldermen, City of St. Louis, MO,

• Loy Lange Box Company Pressure Vessel Explosion, 2017-04-I-MO-R5, Board of Aldermen, City of St. Louis, MO,

• Kuraray Pasadena Release and Fire, 2018-03-I-TX-R11, Kuraray America, Inc.,

• Intercontinental Terminals Company (ITC) Tank Fire, 2019-01-I-TX-R3, Intercontinental Terminals Company,

• Bio-Lab Lake Charles Chemical Fire and Release, 2020-05-I-LA-R4, Bio-Lab Lake Charles,

• Valero McKee Refinery Propane Fire, 2007-5-I-TX-R4, American Petroleum Institute (API),

• LyondellBasell La Porte Fatal Chemical Release, 2021-05-I-TX-R5, American Petroleum Institute (API),

• LyondellBasell La Porte Fatal Chemical Release, 2021-05-I-TX-R1, LyondellBasell Industries, and

• LyondellBasell La Porte Fatal Chemical Release, 2021-05-I-TX-R2, LyondellBasell Industries

 

For more information on the investigation responses, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updated-the-status-of-10-investigation - subscription required.

Review – Bills Introduced – 1-20-26 – Bills Introduced –1-20-26

Yesterday with just the House in Washington, there were 23 bills introduced. Two of those bills will receive additional coverage in this blog:

HR 7147 Making further consolidated appropriations for the fiscal year ending September 30, 2026, and for other purposes. Cole, Tom [Rep.-R-OK-4]

HR 7148 Consolidated Appropriations Act, 2026 Cole, Tom [Rep.-R-OK-4] 

I briefly discussed HR 7147 and HR 7148 yesterday. The official text for both bills (HR 7147 and HR 7148) is available.

 

For more information on these bills, including a discussion about a possible DHS shutdown, as well as a mention in passing about a USDA security ties bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-1-20-26 - subscription required.

Rule Hearing for Last Minibus and DHS Spending Bills

This afternoon the House Rules Committee announced that it would hold a rule hearing tomorrow on two spending bills; HR 7148 - Consolidated Appropriations Act, 2026, and HR 7147 - Department of Homeland Security Appropriations Act, 2026. HR 7148 is the 4^th FY 2026 minibus and includes DOD, LHH, and THUD spending bills. HR 7147 is an attempt at crafting a bipartisan DHS Spending bill.

As with the three earlier minibus bills that have passed in the House, the Rules Committee page includes an explanatory statement for each of the bill’s divisions.

Division A - Department of Defense Appropriations Act, 2026,

Division B - Departments of Labor, Health And Human Services, and Education, and Related Agencies Appropriations Act, 2026, and

Division D - Transportation, Housing and Urban Development, and Related Agencies Appropriations Act, 2026,

According to the ‘Front Matters’ explanatory statement, there was a Division C - Department of Homeland Security Appropriations Act, 2026, but it was moved to HR 7147. Apparently, the leadership decided that they did not want to chance that concerns about immigration theatrics endangering the passage of the three remaining spending bills in HR 7148.

The rule hearing is scheduled for tomorrow afternoon and it is likely to run late into the evening. The Housse should vote on both bills on Thursday. This would give the Senate a chance to squeeze all three spending bills into floor votes before midnight on January 30^th, 2026, the deadline for the current spending bill.

There are questions about whether there is a chance that this DHS spending bill (or any DHS spending bill in the current environment) can pass in the Senate. A press release from Sen Murray (D,WA), Ranking Member of the Senate Appropriations Committee, makes the following point:

““What we have seen from Kristi Noem’s Department of Homeland Security is frankly sick and un-American. ICE is out-of-control, terrorizing people, including American citizens, and actively making our communities less safe. ICE must be reined in, and unfortunately, neither a CR nor a shutdown would do anything to restrain it, because, thanks to Republicans, ICE is now sitting on a massive slush fund it can tap whether or not we pass a funding bill. The suggestion that a shutdown in this moment might curb the lawlessness of this administration is not rooted in reality: under a CR and in a shutdown, this administration can do everything they are already doing—but without any of the critical guardrails and constraints imposed by a full-year funding bill.”

Review – 3 Advisories and 3 Updates Published – 1-20-26

Today CISA’s NCCIC-ICS published three control system security advisories for products from Rockwell Automation and Schneider Electric (2). They also updated advisories for products from Mitsubishi Electric and Schneider (2).

Advisories

Rockwell  Advisory - This advisory describes two vulnerabilities in the Rockell Verve Asset Manager.

Schneider Advisory #1 - This advisory discusses 37 vulnerabilities in the Schneider devices using CODESYS Runtime.

NOTE: I briefly discussed these vulnerabilities on July 15^th, 2023.

Schneider Advisory #2 - This advisory discusses an exposure of sensitive information to an unauthorized actor vulnerability in the Schneider EcoStruxure Foxboro DCS.

NOTE: I briefly discussed this vulnerability on December 14^th, 2025.

Updates

Mitsubishi Update - This update provides additional information on the MELSOFT Update Manager that was originally published on July 3^rd, 2025.

NOTE: I briefly discussed the updated information on December 20^th, 2025.

Schneider Update #1 - This update provides additional information on the Uni-Telway Driver that was originally published on February 2^nd, 2025, and most recently updated on January 13^th, 2026.

NOTE: I briefly discussed the latest information from Schneider’s January 13^th, 2026 update on January 18^th, 2026.

 

For more information on these advisories, as well as ongoing commentary on version dates in CISA’s new ‘Republication’ advisory format, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-3-updates-published-63d - subscription required.

Review – OMB Approves PHMSA Gas Release Reporting ICR Revision

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an information collection request (ICR) revision from the DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) for “Incident Reports for Natural Gas Pipeline Operators”. The 60-day ICR notice was published on December 17^th, 2020. The 30-day ICR notice was published on August 13th, 2025. The revision relates to a proposed change to the instructions for Form PHMSA F 7100.2, Incident Report – Gas Transmission, Gas Gathering, And Underground Natural Gas Storage Facilities, clarifying the reporting requirements for discharges from pressure relief devices.

The table below shows the changes in the burden estimate that result from those changes in instructions.

NOTE the ‘New Version’ data comes from the Supporting Document provided to OIRA.

 

For more information on the burden estimate and changes in instructions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/omb-approves-phmsa-gas-release-reporting - subscription required.

OMB ‘Approves’ 2 PHMSA ICR Revisions

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced (see below for links) final action on two information collection requests (ICRs) revisions submitted by DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA). Both ICR’s were submitted as part of notices of proposed rulemaking (NPRMs) published last year by PHMSA. OIRA has provided comments on the proposed rulemaking dockets (not yet listed because yesterday was a federal holiday) and ordered PHMSA to continue the current ICR, pending publication of the final rule.

The two ICR’s are:

• Rail Carrier and Tank Car Tanks Requirements, Rail Tank Car Tanks - Transportation of Hazardous Materials by Rail (2137-0559), NPRM, Comment Docket,

• Hazardous Materials Shipping Papers & Emergency Response Information (2137-0034), NPRM, Comment Docket.

These two NPRM’s were part of a tranche of rulemaking’s PHMSA published on July 1^st, 2025 (see my brief posts here and here), part of the Administration’s move to reduce regulatory burdens. Interestingly, the second ICR “reflects a[n] increase in responses, burden hours and salary cost”, due to new reporting requirements.

Review – Committee Hearings – Week of 1-18-26

With just the House in Washington this week, and that a short, 3-day week, there is a lite hearing schedule. We have a DHS oversight hearing and a transportation security hearing on the schedule. On the floor we are looking for the last minibus spending bill.

Oversight Hearings

On Wednesday the House Homeland Security Committee will hold an oversight hearing on “Oversight of the Department of Homeland Security: CISA, TSA, S&T”.

Transportation Security

On Wednesday the Subcommittee on Oversight of the House Judiciary Committee will hold a hearing on “Embedded Threats: Foreign Ownership, Hidden Hardware, and Licensing Failures in America’s Transportation Systems”.

On the Floor

There is only one item of potential interest here on this weeks House schedule; on the bottom of the page is a note: “Consideration of items related to FY26 Appropriations are possible.” This is likely to take the form of either a 4^th minibus covering DHS, LHH, and THUD (the remaining spending bills that the House has yet to pass) or a continuing resolution covering those agencies.

 

For more information on these hearings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/committee-hearings-week-of-1-18-26  - subscription required.

Review – Public ICS Disclosures – Week of 1-10-26 – Part 2

For Part 2 we have seven additional vendor disclosures from ABB, Advantech, FortiGuard, Phoenix Contact, Supermicro, and Wireshark (2). We also have bulk vendor updates from Siemens (14). Finally, there are also five vendor updates from FortiGuard, HPE, and Schneider (3).

Advisories  

ABB Advisory - ABB published an advisory that describes an incorrect implementation of authentication algorithm vulnerability in their Ability OPTIMAX product.

Advantech Advisory - CSA published an advisory that describes an SQL injection vulnerability (with publicly available exploit) in the Advantech IoTSuite and IoT Edge products.

FortiGuard Advisory - FortiGuard published an advisory that describes an OS command injection vulnerability (with publicly available exploit) in their FortiSIEM products.

Phoenix Contact Advisory - Phoenix Contact published an advisory that describes a code injection vulnerability in their TC ROUTER and CLOUD CLIENT Industrial mobile network routers.

Supermicro Advisory - Supermicro published an advisory that describes two improper verification of cryptographic signature vulnerabilities in their BMC firmware.

Wireshark Advisory #1 - Wireshark published an advisory that describes an infinite loop vulnerability in their HTTP3 dissector.

Wireshark Advisory #2 - Wireshark published an advisory that describes a crash vulnerability in their SOME/IP-SD dissector.

Wireshark Advisory #3 - Wireshark published an advisory that describes a crash vulnerability in their IEEE 802.11 dissector.

Wireshark Advisory #4 - Wireshark published an advisory that describes a crash vulnerability in their BLF file parser.

Vendor Updates

FortiGuard Update - FortiGuard published an update for their `Host` header injection advisory that was originally published on January 14^th, 2025.

NOTE: This advisory was not listed on the FortiGuard PSIRT website.

HPE Update - HPE published an update for their OneView Software advisory that was originally published on December 17^th, 2025.

Schneider Update #1 - Schneider published an update for their Modicon Controllers M340 advisory that was originally published on November 12^th, 2024, and most recently updated on April 8^th, 2025.

Schneider Update #2 - Schneider published an update for their RemoteConnect advisory that was originally published on January 14^th, 20225.

Schneider Update #3 - Schneider published an update for their Uni-Telway Driver advisory that was originally published on February 11^th, 2025, and most recently updated on July 8^th, 2025.

 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-5df - subscription required.

Short Takes – 1-17-26 – Space Geek Edition

The countdown to clean orbits has begun with ESA’s Zero Debris Charter. SpaceNews.com commentary. Pull quote: “And even if humanity were to stop launching new satellites tomorrow, orbital debris would still multiply for years to come. Over 140 million fragments smaller than one centimeter now orbit Earth, joined by more than 1.2 million between one and ten centimeters in size. Only a tiny fraction, roughly 1%, can be tracked with any reliability. These may seem small and insignificant, but they are anything but. For instance, a clear example from the European Space Agency reported a 7 mm chip was found in one of the windows on the International Space Station’s Cupola, caused by “a tiny piece of space debris, possibly a paint flake or small metal fragment no bigger than a few thousandths of a millimeter across”.”

Congress passes minibus spending bill that rejects proposed NASA cuts. SpaceNews.com article. Pull quote: ““This is another area where we rejected the very deep cuts proposed by the Trump administration, including the 47% cut they had proposed to NASA’s science budget,” said Sen. Chris Van Hollen, D-Md. “We won’t have a space program if we don’t understand what’s happening in space.””

NASA pessimistic about odds of recovering MAVEN. SpaceNews.com article. Pull quote: “Recovery efforts are complicated by the current solar conjunction period, when Mars is behind the sun and radio communications are disrupted. NASA paused communications with all Mars missions on Dec. 29 and plans to resume them Jan. 16.”

TrustPoint demonstrates non-GPS navigation for LEO satellites. SpaceNews.com article. Pull quote: “The company developed a ground station called LEONS, shorthand for low Earth orbit navigation system, designed to provide GPS-independent positioning, navigation and timing signals to satellites in space, said TrustPoint’s chief executive and co-founder Patrick Shannon.”

ESA’s Comet Interceptor mission moves up launch. SpaceNews.com article. Pull quote: “Comet Interceptor is unusual in that its target may not be identified until after launch. The spacecraft will loiter at the Earth-sun L2 point for up to several years, waiting for a suitable target. The mission aims to fly by a long-period comet originating in the distant reaches of the outer solar system.”

Indian startup Aule Space enters satellite servicing market. SpaceNews.com article. Pull quote: “Aule Space hopes to do so less expensively, though, than other companies. “Operating out of India, and having our engineering base here, will help give us the cost advantages that are required in such a cost-sensitive economy,” said Jay Panchal, co-founder and chief executive of the company, in an interview. “To make the business case for life extension, cost is the biggest factor.””

When allies can’t count on U.S. ISR, commercial space becomes strategic. SpaceNews.com commentary. Pull quote: “In practical terms, allies face three options. They can accept reduced access to U.S. ISR. They can build sovereign space architectures of their own — an expensive, multi-year undertaking. Or they can pursue alternative models that deliver intelligence effects faster, at lower cost and with greater resilience.”

Backlog List

• Benchmark demonstrates high-throughput ASCENT thruster in hotfire testing at Edwards Air Force Base,

• GEO satellite refueling a priority for national security, commercial markets, new analysis finds,

• Washington state will provide $350K to support Portal Space System’s satellite factory in Bothell,

• Report identifies science objectives of human Mars exploration,

• Senators return to effort to boost cybersecurity for commercial satellite industry,

• Swarm detects rare proton spike during solar storm,

• NASA Seeks In-Space Manufacturing Ideas,

• How one controversial startup hopes to cool the planet,

• Southeast Asia seeks its place in space, and

• Beyond the horizon: cost-driven strategies for space-based data centers.

Review – Bills Introduced – 1-16-26

With the House in Washington, and the Senate meeting in pro forma session, there were 22 bills introduced. One of those bills will be covered in this blog:

HR 7128 TRIA Program Reauthorization Act of 2026 Flood, Mike [Rep.-R-NE-1]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention in passing of a bill to pay federal employees during a shutdown, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-1-16-23 - subscription required.

Chemical Incident Reporting – Week of 1-10-26

NOTE: See here for series background.

Garnet, KS – 12-31-25

Local News Report: Here, here, here, and here.

There was an unknown corrosive-chemical spill from a truck passing through town. No one as injured, but 266 vehicles had to have the chemical cleaned off the vehicle. Photos seem to indicate that the affected vehicles drove through the spilled material on the road’s surface and sprayed the liquid onto the vehicle’s body. The US EPA funded the vehicle cleaning.

Not CSB reportable, this is transportation related incident.

Birmingham, AL – 1-16-23

Local News Report: Here and here.

There was a spill of dry calcium carbonate on a freeway from an unknown source. The roadway was closed to identify the white powder and cleanup the material. No injuries or damages were reported.

Not CSB reportable, transportation related.  

Review – Public ICS Disclosures – Week of 1-10-26 – Part 1

This is a moderately busy disclosure week. We have six bulk vendor disclosures from HPE (6). We have 11 additional vendor disclosures from Delta Electronics (2), FortiGuard (2), Meinberg, NI, and Schneider (3), and Palo Alto Networks (2).

Bulk Disclosures – HPE

• HPESBHF04991 rev.1 - Certain HPE ProLiant DL/XL Servers Using Certain AMD EPYC Processors, AMD-SB-3027,SEV-SNP Guest Stack Pointer Corruption Vulnerability,

• HPESBNW04993 rev.1 - HPE Telco Service Orchestrator software, Buffer Overflow Vulnerability,

• HPESBNW04992 rev.1 - Multiple Vulnerabilities HPE Aruba Networking EdgeConnect SD-WAN Orchestrator,

• HPESBNW04994 rev.1 - Local Privilege Escalation Vulnerability in HPE Aruba Networking Virtual Intranet Access (VIA) Client for Linux,

• HPESBNW04988 rev.1 - HPE Networking Instant On, Multiple Vulnerabilities,

• HPESBNW04987 rev.1 - Multiple Vulnerabilities in HPE Aruba Networking AOS-8 and AOS-10 for Mobility Conductors, Controllers, and Gateways.

Advisories

Delta Advisory #1 - Delta published an advisory that describes a command injection vulnerability in their DIAView product.

Delta published an advisory that describes two vulnerabilities in their DIAView product.

FortiGuard Advisory #1 - FortiGuard published an advisory that describes a heap-based buffer overflow vulnerability in their FortiOS and FortiSwitchManager products.

FortiGuard Advisory #2 - FortiGuard published an advisory that describes a server-side request forgery vulnerability in their FortiSandbox product.

Meinberg Advisory - Meinberg published an advisory that discusses 10 vulnerabilities (two with publicly available exploits) in their LANTIME product.

NI Advisory - NI published an advisory that discusses an improper handling of length parameter inconsistency vulnerability (listed in CISA’s KEV catalog) in multiple NI products.

Schneider Advisory #1 - Schneider published an advisory that discusses four vulnerabilities in their Plant iT/Brewmaxx product.

Schneider Advisory #2 - Schneider published an advisory that describes an incorrect default permissions vulnerability in their EcoStruxure Process Expert products.

Schneider Advisory #3 - Schneider published an advisory that discusses five vulnerabilities in multiple products.

Palo Alto Networks Advisory #1 - PAN published an advisory that discusses 27 vulnerabilities their Prisma Browser.

Palo Alto Networks Advisory #2 - PAN published an advisory that describes an improper check for unusual or exceptional conditions vulnerability in their PAN-OS and Prisma Access products.

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-c84 - subscription required.

Review – Bills Introduced – 1-15-26

 Yesterday, with both the House and Senate in Washington (and the Senate preparing to spend next week back in their States), there were 97 bills introduced. None of those bills will receive additional coverage here, but there is one space geek bill.

Space Geek Legislation

I would like to mention one bill under my limited Space Geek coverage in this blog:

S 3672 A bill to amend title 51, United States Code, to authorize the Administrator of the National Aeronautics and Space Administration to conduct a public-private talent program, and for other purposes. Kim, Andy [Sen.-D-NJ]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention in passing of a bill to pay CBP and ICE employees in the event of limited Federal government shutdown, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-1-15-26 - subscription required.

Review – HR 6507 Introduced - DHS Grants Accountability Act

Last month Rep Kennedy (D,NY) introduced HR 6507, the DHS Grants Accountability Act. The bill would require DHS to award homeland security grants, and revise deadlines and application requirements for those grants. No new funding is authorized.

The covered grant programs would include:

Urban Area Security Initiative,

State Homeland Security Grant Program, and

Nonprofit Security Grant Program

Public Transportation Grants,

Railroad Security Assistance,

Over-The-Road Bus Security Assistance, and

Port Security Grants.

Moving Forward

Both Kennedy and his sole cosponsor, Rep Thompson (D,MS) are members of the House Homeland Security Committee to which this bill was assigned for consideration. This means that there could be sufficient influence to see this bill considered in Committee. Unfortunately, this bill was crafted to prevent the current Administration from withholding grant funding as was done last year. This means that the current leadership is unlikely to allow the bill to be considered. If it were to be considered, I suspect that there would be some level of bipartisan support for the bill. Whether it would be sufficient to allow the bill to be taken up by the full House under the suspension of the rules process.

 

For more information on the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-6507-introduced-dhs-grants-accountability - subscription required.

Review – 12 Advisories and 3 Updates Published – 1-15-26

Today CISA’s NCCIC-ICS published 15 control system security advisories for products from Siemens (9), Schneider Electric, Festo, and AVEVA. They also updated advisories for products from Mitsubishi Electric (2) and Axis Communications.

Advisories

SIMATIC Advisory #1 - This advisory describes five vulnerabilities in the Siemens SIMATIC CN 4100 communications node.

NOTE: I briefly mentioned these vulnerabilities on December 14^th, 2026.

SIMATIC Advisory #2 - This advisory describes an uncontrolled resource consumption vulnerability in the Siemens SIMATIC and SIPLUS product lines.

RUGGEDCOM Advisory #1 - This advisory describes six vulnerabilities in the Siemens RUGGEDCOM ROX II family.

NOTE: I briefly mentioned these vulnerabilities on December 14^th, 2026.

RUGGEDCOM Advisory #2 - This advisory discusses four vulnerabilities in the Siemens RUGGEDCOM APE1808 Devices.

RUGGEDCOM Advisory #3 - This advisory describes an improper input validation vulnerability in the Siemens RUGGEDCOM ROS products.

NOTE: I briefly mentioned these vulnerabilities on December 14^th, 2026.

Industrial Edge Advisory #1 - This advisory describes an authorization bypass through user controlled key vulnerability in the Siemens Industrial Edge Device Kit.

Industrial Edge Advisory #2 - This advisory describes an authorization bypass through user controlled key vulnerability in the Siemens Industrial Edge Devices.

SINEC Advisory - This advisory describes two vulnerabilities in the Siemens SINEC Security Monitor.

NOTE: I briefly mentioned these vulnerabilities on December 14^th, 2026.

TeleControl Advisory - This advisory describes execution with unnecessary privileges vulnerability in the Siemens TeleControl Server Basic.

Schneider Advisory - This advisory describes two vulnerabilities in the Schneider EcoStruxure Power Build Rapsody.

Festo Advisory - This advisory describes an insufficient technical documentation vulnerability in multiple Festo products.

I briefly discussed this vulnerability on December 3^rd, 2022.

AVEVA Advisory - This advisory describes seven vulnerabilities in the AVEVA Process Optimization product.

Updates

Mitsubishi Update #1 - This update provides additional information on the MC Works64 Products advisory that was originally published on July 26^th, 2022, and most recently updated on July 24^th, 2025.

NOTE: I briefly discussed this updated information on January 10^th, 2026.

Mitsubishi Update #2 - This update provides additional information on the FA Engineering Software Products advisory that as originally published on May 14^th, 2024, and most recently updated on August 28^th, 2025.

Axis Update - This update provides additional information on the Camera Station Pro advisory that was originally published on December 18^th, 2025.

 

For more information on these advisories, as well as an ongoing discussion about CISA format changes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/12-advisories-and-3-updates-published - subscription required.

Short Takes – 1-15-26 – Federal Register Edition

Pipeline Safety: Class Location Change Requirements. Federal Register, PHMSA final rule. Summary: “PHMSA is updating its regulations to allow operators to apply modern risk management principles in addressing the safety of gas pipelines affected by class location changes. Relying on an approach originally developed in the 1950s, PHMSA's regulations use class locations to provide an additional margin of safety in the design, construction, testing, operation, and maintenance of gas pipelines based on population density. When the class location of a pipeline changes due to an increase in population density, an operator may need to take certain actions to confirm or to revise the maximum allowable operating pressure of a segment. Because the methods traditionally used for that purpose do not account for modern risk management principles, PHMSA has granted special permits for more than two decades allowing operators to use an integrity-management-based alternative. This final rule adopts that `IM alternative' by regulation to provide operators with an additional method for confirming or restoring the maximum allowable operating pressure of certain eligible segments that experience class location changes.” Effective date: March 16^th, 2026.

Hazard Communication Standard. Federal Register, OSHA extension of compliance dates. Explanation: “The initial compliance deadline in section 1910.1200(j)(2)(i) of January 19, 2026, for manufacturers, importers, and distributors evaluating substances, is imminent. Members of the regulated community have asked for additional guidance to comply with the updated HCS. Although OSHA has been working to finalize key guidance about the updated HCS for both the regulated community and agency personnel, the agency has not been able to complete these documents with sufficient time for the regulated community and OSHA personnel to benefit from them before the initial compliance date. OSHA has determined it is necessary to extend the initial compliance date in paragraph (j)(2)(i) by four months to allow time for the agency to publish the necessary guidance materials and for the regulated community to review those materials before the revised provisions take effect. To maintain the tiered approach to compliance adopted in the final rule (89 FR 44144, 44302), OSHA is also extending each of the subsequent compliance dates in paragraph (j)(2)(ii) and (j)(3) by four months.”

Revision to License Review Policy for Advanced Computing Commodities. Federal Register BIS final rule. Summary: “The Bureau of Industry and Security (BIS) is revising its license review policy for exports of certain semiconductors to China and Macau—changing it from a presumption of denial to a case-by-case review. The semiconductors covered by this rule are the Nvidia H200 and its equivalents, as well as less advanced chips—provided that (1) the semiconductors are commercially available in the United States at the time of publication of this rule and (2) the exporter certifies that: there is sufficient supply of this product in the United States; production of this product for exports to China will not divert global foundry capacity for similar or more advanced products for end users in the United States; the recipient has demonstrated sufficient security procedures; and the item undergoes independent, third-party testing in the United States to verify its performance specifications.”

EO 14373 - Safeguarding Venezuelan Oil Revenue for the Good of the American and Venezuelan People. Federal Register.

HR 7006 Passes in the House – 3rd FY 2026 Minibus

Yesterday the House took up HR 7006, the Financial Services and General Government and National Security, Department of State, and Related Programs Appropriations Act, 2026. This is the third minibus spending bill for FY 2026. The bill as considered under a rule, H Res 992, that provided for limited debate and the consideration of two amendments. The rule passed early in the day by a straight party-line vote of 213 to 210.

The House leadership avoided the difficulty seen in the rule vote for the earlier minibus, by agreeing to floor votes on two amendments offered by Republican bomb-throwers, Rep Roy (R,TX) and Rep Crane (R,AZ). Roy’s amendment on DC Circuit court spending failed by a vote of 163 to 257, with 46 Republicans voting NAY. Similarly, Crane’s amendment to prohibit funding for the National Endowment for Democracy failed by a vote of 127 to 291, with 81 Republicans voting NAY.

The final vote on HR 7006 was a bipartisan 341 to 79, with opposition coming from both Republicans (22) and Democrats (57).

The bill now moves to the Senate for consideration. The Senate is currently scheduled to be out of Washington next week, but it could still take up HR 7006 in the last week in January and still meet the current January 30^th deadline to keep the remainder of the federal government open. This would still leave four spending bills incomplete (DOD, DHS, THUD, and LHH). The House passed the HR 4016, the DOD spending bill back in July, so the Senate could technically complete action on that bill before the deadline arrives. That was a partisan House bill, so it would almost certainly have to be amended in the Senate to pass, which would require a subsequent vote in the House before the bill went to the President. There has not been any announcement yet of a 4^th minibus to close out the spending bills, but with the controversies surrounding those bills (particularly DHS), I suspect that a continuing resolution will be required to keep those agencies open past January 30^th.

Review – PHMSA Publishes Fuel Transportation Final Rule

Today DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) published a final rule in the Federal Register (91 FR 1433) on “Hazardous Materials: Eliminating Unnecessary Regulatory Burdens on Fuel Transportation”. The notice of proposed rulemaking (NPRM) was published on October 28^th, 2024, under the title “Hazardous Materials: Advancing Safety of Highway, Rail, and Vessel Transportation”.

This final rule is somewhat reduced in scope from the proposed change found in the NPRM. The changes that were adopted include:

In part 107, subpart F, revise the cargo tank facility registration requirements to allow for electronic submission procedures.

In section 171.7, replace the current incorporation by reference of Chlorine Institute (CI) drawings in paragraphs (l)(3) and (l)(4) with the entire CI Pamphlet 49,Recommended Practices for Handling Chlorine Bulk Highway Transports, which provides guidelines for the safe transportation of chlorine by highway. The updated incorporation by reference includes the use of the Midland Type pressure relief device (PRD) for cargo tanks transporting chlorine as referenced in updated section 173.315.

In section 172.336, revise the marking requirements for multiple petroleum distillate fuels to allow the marking of the identification number of the fuel with the lowest flash point transported in the same or previous business day.

In section 172.704, include hazmat employees who only manufacture packagings within the scope of the existing exception from safety training. Further, remove the security awareness training requirement for any hazmat employees who only perform hazmat activities related to packagings (e.g., employees who manufacture, repair, modify, recondition, or test packagings, and do not offer for transportation or transport hazardous materials in commerce).

In section 178.337-1(d), allow the use of external coverings other than paint that meet reflectivity requirements for Cargo Tank Motor Vehicles (CTMVs).

In section 180.407(a)(7), allow the use of video cameras or video optics equipment for cargo tank inspections or tests.

Effective Dates

Effective date – February 13^th, 2026,

Voluntary compliance date – January 14^th, 2026, and

Incorporation by reference date – February 13^th, 2026.

 

For more information on the provisions of this rule, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/phmsa-publishes-fuel-transportation - subscription required.

MS Update of ICS Importance

Yesterday’s Krebs on Security post about the January 2026 Microsoft updates included a very interesting paragraph:

““That’s not a typo; this vulnerability [CVE-2023-31096] was originally published via MITRE over two years ago, along with a credible public writeup by the original researcher,” Barnett [at Rapid7] said. “Today’s Windows patches remove agrsm64.sys and agrsm.sys. All three modem drivers were originally developed by the same now-defunct third party, and have been included in Windows for decades. These driver removals will pass unnoticed for most people, but you might find active modems still in a few contexts, including some industrial control systems [emphasis added].””

It will be interesting to see how quickly this starts getting addressed in control system advisories as a third-party vulnerability, especially since there is a publicly available exploit for the vulnerability. Of course, the removal of the driver from patched Windows systems will be of more immediate concern if a modem using the driver is being run on that system. Of course, this is why you would test updates before running them in a live control system.

Short Takes – 1-13-26 – Federal Register Edition

Railroad Safety Advisory Committee; Charter Reestablishment. Federal Register FRA advisory committee notice – Summary: “FRA announces the charter reestablishment of the RSAC, a Federal Advisory Committee established by the U.S. Secretary of Transportation in accordance with the Federal Advisory Committee Act to provide information, advice, and recommendations to the FRA Administrator on matters relating to railroad safety. This charter renewal will be effective for two years from the date it is filed with Congress.”

Name of Information Collection: NASA Safety Reporting System (NSRS). Federal Register NASA 30-day ICR notice. Abstract: “This collection provides a means by which NASA contractors can voluntarily and anonymously report any safety concerns or hazards pertaining to NASA programs, projects, or operations. NASA is committed to effectively performing the Agency's communication function in accordance with the Space Act Section 203(a)(3) to “provide for the widest practicable and appropriate dissemination of information concerning its activities and the results thereof,” and to enhance public understanding of, and participation in, the nation's aeronautical and space program in accordance with the NASA Strategic Plan.” Comments due February 12^th, 2026.

Centennial Challenges Deep Space Food Challenge: Mars to Table Registration. Federal Register NASA program notice. Summary: “Deep Space Food Challenge: Mars to Table is open, and teams that wish to compete may now register. NASA initiated Centennial Challenges in 2005 to create public prize competitions that stimulate revolutionary research, technology development, and prototype demonstrations. These challenges strive to be audacious and inspirational with a focus on long-range NASA goals while addressing complex mission needs. Challenges also encourage hands-on, grassroots approaches to identifying and cultivating communities of innovators, including small businesses, student groups, and individuals. Centennial Challenges are part of NASA's Prizes, Challenges, and Crowdsourcing program withing the agency's Space Technology Mission Directorate. NASA's Deep Space Food Challenge: Mars to Table is a prize competition with a total prize purse of $750,000 USD, (seven hundred and fifty thousand United States dollars) to be awarded to competitor teams that develop a complete space food system for a planetary surface that integrates a variety of food sources and associated technologies, and that meets 100% of the crew's variable nutritional needs within the constraints of a Martian habitat.”

EO 14372 - Prioritizing the Warfighter in Defense Contracting. Federal Register.

Review – 3 Advisories and 1 Update Published – 1-13-26

Today CISA’s NCCIC-ICS published three control system security advisories for products from YoSmart and Rockwell Automation (2). They also updated an advisory for products from Güralp.

Advisories

YoSmart Advisory - This advisory describes four vulnerabilities (with publicly available exploit code) in the YoSmart YoLink Smart Hub.

Rockwell Advisory #1 - This advisory describes an SQL injection vulnerability in the Rockwell FactoryTalk DataMosaix Private Cloud.

Rockwell Advisory #2 - This advisory describes an allocation of resources without limit or throttling vulnerability in the Rockwell 432ES-IG3 Series A GuardLink EtherNet/IP Interface.

Update

Güralp Update - This update provides additional information on the FMUS and MIN series devices advisory that was originally published on July 31^st, 2025, and most recently updated on August 14^th, 2025.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-and-1-update-published-b62 - subscription required.

EPA Sends NEPA Update NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a notice of proposed rulemaking (NPRM) from the EPA on “Updates to Procedures for Implementing the National Environmental Policy Act and Assessing the Environmental Effects of EPA Actions”.

According to the Spring 2025 Unified Agenda entry for this rulemaking:

“On February 19, 2025, the Council on Environmental Quality (CEQ) issued guidance through a memorandum for heads of Federal departments and agencies on the implementation of the National Environmental Policy Act (NEPA). The guidance, consistent with Executive Order (E.O.) 14154, Unleashing American Energy, 90 Fed. Reg. 8353 [link added] (Jan. 29, 2025), requires agencies to update their implementing NEPA regulations to expedite permitting approvals and for consistency with NEPA as amended by the Fiscal Responsibility Act of 2023 (Public Law 118-5), including the deadlines established in NEPA. In accordance with CEQ’s guidance, agencies are required to complete the revision of their procedures no later than 12 months after the date of this CEQ memorandum. This proposal is for the EPA to update the implementing NEPA regulations to be consistent with the text of NEPA, E.O. 14154, and CEQ’s guidance. Examples of EPA actions subject to NEPA include the award of wastewater treatment construction grants under Title II of the Clean Water Act, EPA’s issuance of new source National Pollutant Discharge Elimination System (NPDES) permits under section 402 of the Clean Water Act, and certain research and development.”

Review – Bills Introduced – 1-12-26

Yesterday, with both the House and Senate in Washington, there were 28 bills introduced. Two of those bills will receive additional coverage in this blog:

HR 7006 Financial Services and General Government and National Security, Department of State, and Related Programs Appropriations Act, 2026. Cole, Tom [Rep.-R-OK-4] 

HR 7011 To require the Administrator of the Federal Railroad Administration to submit to Congress a report on the rate and causes of rail tank car pressure relief device failures, and for other purposes. Deluzio, Christopher R. [Rep.-D-PA-17] 

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, as well as a mention in passing of two opposing bills on the acquisition of Greenland, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-1-12-26 - subscription required.

Reports of the Demise of the ChemLock Program Premature

While the current Administration announced their intent to cancel the ChemLock Program, I just saw this on CISA announcement on X:

Apparently CISA expects Congress to ignore this portion of the DHS budget request and continue to provide some level of chemical security funding in FY 2026.

HR 2683 Passes in House – Remote Access Export Controls

Earlier this evening, the House completed action on HR 2683, the Remote Access Security Act, under the suspension of the rules process. Earlier in the afternoon, and after almost 14 minutes of debate, the Yeas and Nays were ordered. About three hours later the vote was held and the bill passed by a substantially bipartisan vote of 369 to 22. All of the nay votes came from Republicans.

The bill would authorize the DOC’s Bureau of Industry and Security (BIS) to regulate the use of remote access by a foreign person of items subject to the jurisdiction of the United States under the export control regulations. No new funding is authorized by this bill.

The bill now goes to the Senate for consideration. Unfortunately, the bill is not politically important enough for the bill to be considered under regular order. With the significant opposition to the bill in the House, it is unlikely that the bill would be taken up under the unanimous consent process. This leaves adding the language from this bill to a must pass authorization or spending bill, as the only way that this bill is going to reach the President’s Desk.

3rd FY 2026 Minibus Announced – FinServices and State

Yesterday the two appropriations committees separately (Senate and House)announced the proposed language for the third minibus spending bill for FY 2026, covering Financial Services and General Government, and National Security, Department of State, and Related Programs. The House Rules Committee also announced that they would hold a rule hearing on Tuesday that would include the new spending bill. The bill will be introduced later today and be assigned an HR number at that time. There is an interesting ‘minority view’ of the bill from the Senate Democrats.

The proposed bill consists of three divisions:

DIVISION A – Financial Services and General Government Appropriations Act, 2026,

DIVISION B – National  Security, Department of State, and Related Programs Appropriations Act, 2026, and

DIVISION C – Other  Matters

The ‘other matters’ division is relatively short. It would prohibit funding for United Nations Relief and Works Agency. I suspect that it was added as a separate division instead of being combined with Division B, so that a separate vote could be held on this provision. This would have been included in the bill as an enticement for the spending hawks.

As with HR 6938, this bill will be treated as a conference bill, with Joint Explanatory Statements available for each division. Again, I would not be surprised to see separate votes on retaining each of the three divisions.

If this bill is passed, and I expect that it will, there will be just three spending bills left to consider:

Homeland Security,

Labor-HHS-Education, and

Transportation-HUD.

These three bills would contain the most controversial programs and spending topics and will be the most difficult to produce a consensus version which could pass in both the House and Senate. It is very likely that Congress will have to resort to a continuing resolution with current funding continuing through September 30^th, 2026.

Review – S 3404 Introduced – Satellite Cybersecurity

Last month Sen Peters (D,MI) introduced S 3404, the Satellite Cybersecurity Act of 2025. The bill would require the GAO to publish a report on government actions to support cybersecurity of commercial satellite systems. It also outlines new responsibilities for the Department of Commerce (DOC) on satellite cybersecurity. No new funding is authorized by this legislation.

This bill is very similar to S 1425, the Satellite Cybersecurity Act, that was introduced by Peters in May 2023. The Senate Homeland Security Committee held a business meeting on May 17^th, 2023, where this bill was considered. The bill was ordered favorably reported and the Committee Report was published on September 5^th, 2023. No further action was taken in the Senate.

There are two significant differences between the two bills. First, S 3404 changes the definitions in Section 3. S 3404 removes two definitions; ‘Director’ and ‘Sector Risk Management Agency’. It also adds the definition of the term ‘appropriate congressional committee’. The later change obviates the need for naming these committees in various places in the bill. The deleted definitions relate to the other, more significant change, a change in the agency, from CISA to DOC, responsible for the cybersecurity responsibilities outlined in this bill.

Moving Forward

Peters is a member of the Senate Commerce, Science, and Transportation Committee. This means that there may be sufficient influence to see the bill considered in Committee. I see nothing in this bill that would engender organized opposition, and I would suspect the bill would receive the same level of bipartisan support that S 1425 received in the 118^th Congress. Unfortunately, I do not think that the bill is politically important enough to take up the Senate’s time if it were to be considered under regular order.

 

For more information on the provisions of the bill, including a commentary on why the responsible agency was changed, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3404-introduced-satellite-cybersecurity - subscription required.

Short Takes – 1-10-26 – Space Geek Issue

ISS Medical Issue

This week NASA dealt with an undescribed medical issue on the International Space Station by announcing that they will return SpaceX Crew 11 next week, more than a month earlier than planned. The following articles deal with that issue.

NASA, SpaceX Set Target Date for Crew-11’s Return to Earth,

A Medical Emergency 250 Miles Above Earth Forces NASA to Make a Rare Decision,

NASA orders “controlled medical evacuation” from the International Space Station,

Medical issue prompts early return of Crew-11 from ISS,

Medical issue could force early end of Crew-11 ISS mission,

Other Space Geek Articles

Orbiting satellites could start crashing into one another in less than 3 days, theoretical new 'CRASH Clock' reveals. LiveScience.com article. Pull quote: “These findings have not yet been peer-reviewed, and the study team now thinks that they slightly overestimated how short the CRASH Clock really is, Boley told Live Science. However, the rate at which these timeframes have changed, regardless of their exact values, is what is most concerning. (A new, more reliable value for the CRASH Clock is likely to be published later this year.)”

The U.S. will seize space leadership – or China will take it. SpaceNews.com article. SpaceNews.com commentary. Pull quote: “NASA, correctly, is not expected, empowered or equipped to deal with conflict. The U.S. Space Force should be. It has become empowered and expected to maintain advantage, and has made remarkable progress standing up a new service. But it’s still building the comprehensive capabilities needed for contested cislunar operations — an environment very different from the GEO and LEO domains where we’ve operated for decades.”

Rhea Space Activity applies optical navigation to military rendezvous missions. SpaceNews.com article. Pull quote: “Under its award, Rhea Space Activity is developing autonomous navigation software through a project called Vanguard — short for Vision-based Autonomous Navigation and Guidance for Unassisted Approach, Rendezvous and Deployment. The work builds on AutoNav, a software suite originally developed at NASA Jet Propulsion Laboratory to allow spacecraft to determine their position and trajectory without continuous guidance from Earth.”

Private group unveils plans for large space telescope. SpaceNews.com article. Pull quote: ““We are going to build a philanthropic, three-meter, off-axis telescope with capabilities that are approaching Hubble,” Pete Klupar, executive director of the Lazuli project at Schmidt Sciences, said during a session at the 247th meeting of the American Astronomical Society to announce the observatory program. “And we’re going to do it in three years, and we’re going to do it for a ridiculously low price.””

The ‘space tax’ on your self-driving car. SpaceNews.com commentary. Pull quote: “This transition requires a fundamental shift from passive data consumption to active infrastructure investment. For AV manufacturers to effectively utilize space weather data, they will be encouraged to invest in space missions that specifically align with their high-precision engineering goals — moving beyond general atmospheric research toward bespoke orbital monitoring. By backing targeted sensors designed for real-time ionospheric mapping, carmakers can ensure their navigation stacks are supported by data feeds as reliable as the roads themselves. Such investment allows the industry to “buy down” the risk of signal failure, turning space weather from a chaotic variable into a manageable engineering input.”

2026 will clarify Europe’s new priorities for space. SpaceNews.com article. Pull quote: “Exploration budgets, expected to be detailed in early 2026, will clarify Europe’s real level of commitment to human and robotic exploration — particularly moon and Mars — after the Ministerial compromises of 2025. Progress on HALO and Gateway will test Europe’s reliance on transatlantic exploration partnerships. ERS-EO will indicate how far ESA has shifted toward security-driven Earth observation. Also worth watching is the Celeste LEO PNT demonstrator, planned for early 2026, following the sharp budget increase for navigation.”

Backlog List

• Muon Space to develop sensor payload for missile defense satellites,

• Blue Origin Announces New Glenn “Block 2” Upgrades,

• Congress desires LEO, but threats are real,

• Datacenters in space are a terrible, horrible, no good idea,

• How one controversial startup hopes to cool the planet,

• Overview Energy demonstrates technologies for space solar power, and

• Benchmark demonstrates high-throughput ASCENT thruster in hotfire testing at Edwards Air Force Base.

Chemical Incident Reporting – Week of 1-3-26

NOTE: See here for series background.

Rio Blanco County, CO – 1-8-26

Local News Report: Here, here, here, and here.

There was a single-vehicle accident involving a oil tank truck, about 9.000 gallons of crude oil was spilled. Some material got into a local creek. The truck driver was transported to a local hospital.

Not CSB reportable, this is a transportation related accident.

Deer Park, TX – 1-9-26

Local News Report: Here, here, here, and here.

There was an unnamed chemical release during maintenance activities at a chemical facility. A shelter-in-place was ordered at the facility and at surrounding locations. No injuries or damages were reported.

Review – Public ICS Disclosures – Week of 1-3-26

This is a relatively light disclosure week. We have four vendor disclosures from ABB, Fujitsu, Dell, and Moxa. There are also five vendor updates from HP, HPE, Mitsubishi, and Moxa (2). We also have a researcher report for products from WatchGuard. Finally, we have two exploits for products from Bio-Formats (2).

Advisories

ABB Advisory - ABB published an advisory that describes three vulnerabilities in their WebPro SNMP Card PowerValue product.

Fujitsu Advisory - JP-CERT published an advisory that describes origin validation error in the Fujitsu Security Solution AuthConductor Client Basic V2.

Dell Advisory - Dell published an advisory that discusses 36 vulnerabilities in their Windows IoT Enterprise LTSC.

Moxa Advisory - Moxa published an advisory that discusses an quoted search path vulnerability in their ethernet switches.

Updates

HP Update - HP published an update for the Intel Ethernet I219 Software advisory that was originally published on February 11^th, 2025, and most recently updated on April 24^th, 2025.

HPE Update - HPE published an update for their ProLiant DL/ML/XD Alletra advisory that was originally published on December 12^th, 2025.

Mitsubishi Update - Mitsubishi published an update for their GENESIS64 advisory that was originally published on July 19^th, 2022, and most recently updated on July 24^th, 2025.

Moxa Update #1 - Moxa published an update for their ICMP Timestamp Request advisory that was originally published on October 21^st, 2025, and most recently updated on December 8^th, 2025.

Moxa Update #2 - Moxa published an update for their Diffie-Hellman Key Exchange Protocol advisory that was originally published on June 2^nd, 2025, and most recently updated on November 3^rd, 2025.

Researcher Reports

WatchGuard Report - Lutra Security published a report that describes a command injection vulnerability in the WatchGuard Mobile VPN.

Exploits

Bio-Formats Exploit #1 - Ron Edgerson published an exploit for a deserialization of untrusted data vulnerability in the Bio-Formats Memoizer Cache Files.

Bio-Formats Exploit #2 - Ron Edgerson published an exploit for an improper restriction of external XML entity reference vulnerability in Bio-Formats Leica Microsystems XML Parser.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/publish/posts/detail/184117903/share-center - subscription required.