Review – 8 Advisories Published – 6-18-26

Today CISA’s NCCIC-ICS published seven control system security advisories for products from Schneider Electric (2), Mitsubishi Electric (2), Rockwell Automation, AzeoTech, and AVer. They also published a medical device security advisory for products from Apollo Pharmacy. 

Advisories  

Schneider Advisory #1 - This advisory describes an insufficient entropy vulnerability in multiple Schneider product lines. 

Schneider Advisory #2 - This advisory describes a path traversal vulnerability in the Schneider EasyLogic T150 and Saitel DP products. 

Mitsubishi Advisory #1 - This advisory describes an expected behavior violation vulnerability in the Mitsubishi MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP. 

Mitsubishi Advisory #2 - This advisory describes an integer overflow or wraparound vulnerability in the Mitsubishi MELSEC iQ-F Series products. 

Rockwell Advisory - This advisory describes three vulnerabilities in the Rockwell FactoryTalk Historian Site Edition. 

AzeoTech Advisory - This advisory describes a type confusion vulnerability in the AzeoTech DAQFactory product. 

AVer Advisory - This advisory describes a files or directories accessible to external parties vulnerability in the AVer PTC cameras. 

Apollo Advisory - This advisory describes two vulnerabilities in the Apollo Blood Glucose Monitoring System APG-01 BT. 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/8-advisories-published-6-18-26 - subscription required. 

HR 9022 Introduced – FRY 2027 EWR Spending

Last month, Rep Fleischmann (R,TN) introduced HR 9022, the Energy and Water Development and Related Agencies Appropriations Act, 2027. The House Appropriations Committee published their Report on the bill. There is one cybersecurity mention in the bill and 10 discussions in the Report. The Report also contains 14 chemical processing discussions. 

HR 9022 is similar to HR 4553, the Energy and Water Development and Related Agencies Appropriations Act, 2026, that was introduced by Fleischmann in July of 2025. The Committee Report was published. That bill passed in the House in September by a near party-line vote of 214 to 213. No action was taken on the bill in the Senate. The EWR spending was eventually included in HR 6938, the Commerce, Justice, Science; Energy and Water Development; and Interior and Environment Appropriations Act, 2026, minibus. 

Moving Forward  

The House Rules Committee has a rule hearing scheduled for June 23, 2023. HR 9022 is one of the four bills currently scheduled for inclusion in the rule. To date, 123 potential amendments have been submitted to the Committee. Three of those amendments deal with DOE’s Cybersecurity, Energy Security, And Emergency Response (CESER) funding. 

For more information on the provisions of this bill, or discussions in the Committee Report, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-9022-introduced-fry-2027-ewr-spending - subscription required. 

OMB Approves ASPMB Hazardous Substances Final Rule

Yesterday, the OMB announced that it had approved a final rule from the DOI’s Office of the Assistant Secretary for Policy, Management and Budget (AS-PMB) on “Natural Resource Damages for Hazardous Substances”. An advanced notice of proposed rulemaking was published on January 19th, 2023. The notice of proposed rulemaking (NPRM) was published on January 5th, 2024. This rulemaking would amend 43 CFR Part 11. 

According to the Spring 2025 Unified Agenda entry for this rulemaking:  

“This final rule updates the existing Type A Rule of the CERCLA Natural Resource Damage Assessment and Restoration (NRDAR) regulations so it can be used in different environments and include methodologies which are not technology specific.  Adjustments are made to the rebuttable presumption for Type A procedures which is currently limited to damages of $100,000 or less.” 

According to the preamble to the NPRM: 

“Since its promulgation, the Type A Rule has rarely been utilized to resolve CERCLA Natural Resource Damage Assessment and Restoration (NRDAR) claims. This may be partly due to the Type A Rule's restrictive scope—to two specific aquatic environments when relatively low-impact, single substance spills occur. Additionally, the model equation for each Type A environment is the functional part of the rule itself—with no provisions to reflect evolving toxicology, ecology, technology, or other scientific understanding without a formal amendment to the Type A Rule each time a parameter is modified. The result is an inefficient and inflexible rule that is not currently useful as a means to resolve NRDAR claims and promote natural resource restoration. For these reasons, the Department is now seeking to modernize the Type A process and develop a more flexible and enduring rule than what is provided by the two existing static models.” 

I do not expect to be covering this rulemaking in any detail, but I do plan on announcing its publication in the appropriate Short Takes post. 

Review – Bills Introduced – 6-16-26

Yesterday, with just the Senate in session, there were 14 bills introduced. One of those bills will receive additional coverage in this blog: 

S 4794 A bill to require the Secretary of Agriculture and the Secretary of Homeland Security to submit to Congress a report regarding cybersecurity in precision agriculture technologies, and for other purposes. Sheehy, Tim [Sen.-R-MT]    

For more information on these bills, including legislative history for similar bills in the 118th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-6-16-26 - subscription required. 

Review – CSB Updates Accidental Chemical Release Reporting Data – 6-1-26

Yesterday the CSB updated their published list of reported chemical release incidents. They added 38 new incidents that occurred since the previous version was published in March 2026. These are not incidents that the CSB is investigating; these are incidents that were reported to the CSB under their Accidental Release Reporting rules (40 CFR 1604) through END DATE. 

The table below shows the top five states based upon the number of reported incidents since the December update was published. In this case, with the short time frame since the last update, these were the only states that had reported incident. 

For more information on the updated incident reporting data, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updates-accidental-chemical-release - subscription required.