Review – 5 Advisories and 2 Updates Published – 5-21-26

Today CISA’s NCCIC-ICS published five control system security advisories for products from ABB (4) and Hitachi Energy. They also updated advisories for products from ABB and Schneider Electric. 

Advisories  

ABB Advisory #1 - This advisory describes three vulnerabilities in the ABB Terra AC Wallbox EV charger. NOTE: I briefly discussed the latest update to the ABB advisory on November 30th, 2025. 

NOTE: I briefly discussed the latest update to the ABB advisory on November 30th, 2025. 

ABB Advisory #2 - This advisory describes three vulnerabilities in the ABB B&R Automation Runtime product. The vulnerability is self-reported. 

ABB Advisory #3 - This advisory discusses 25 vulnerabilities in the ABB B&R Automation Studio. ABB Advisory #4 - This advisory discusses the PixieFail vulnerabilities. 

Hitachi Energy Advisory - This advisory discusses an observable discrepancy vulnerability in the Hitachi Energy GMS600. 

Updates  

ABB Update - This update provides additional information on the Automation Builder advisory that was originally published on May 13th, 2025. 

Schneider Update - This update provides additional information on the EcoStruxure Process Expert advisory that was originally published on January 22nd, 2026. 

NOTE: I briefly listed the latest Schneider update on May 17th, 2026. 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-2-updates-published-7c6 - subscription required. 

CISA Announces KEV Nominations

This morning CISA announced that it had published their new Known Exploited Vulnerabilities nomination form. According to today’s announcement: 

“The new form is a secure, web-based tool that will improve CISA’s ability to intake and analyze reported vulnerabilities and ensure we continue to help organizations effectively keep pace with threat activity. Vulnerabilities submitted for potential addition to the catalog must have a Common Vulnerabilities and Exposures (CVE) ID, evidence of exploitation, and clear mitigation guidance. Learn more about the criteria for KEV catalog submissions and CISA’s efforts to reduce KEV-related risk.” 

According to the approved information collection request (ICR) supporting this reporting form, CISA expects as many as 2,725 annual submissions 

This should allow CISA participate earlier in the exploit notification process. Instead of having to wait until they read about the exploits in the press, this will allow them to hear directly from owners, vendors, and researchers when exploits are identified. 

Short Takes – 5-21-26 - Federal Register Edition

Area Maritime Security Advisory Committee (AMSC), Eastern Great Lakes, Northwestern Pennsylvania; Sub-Committee Vacancy. Federal Register CG notice. Summary: “The Coast Guard is accepting applications to fill one vacancy on the Area Maritime Security Committee, Eastern Great Lakes, Northwestern Pennsylvania Region Sub-Committee (Sub-Committee). The Area Maritime Security Committee assists the Captain of the Port as the Federal Maritime Security Coordinator (FMSC), Buffalo, in developing, reviewing, and updating the Area Maritime Security Plan for their area of responsibility.” 

Clearance of Renewed Approval of Information Collection: for the Information Collection Entitled, Website for Frequency Coordination Request. Federal Register FAA 30-day information collection request renewal – Summary: “The information collected is needed to perform the aeronautical studies, technical evaluations required, and to meet the specified requirements for the radio frequency engineering pursuant to the Federal Aviation Administration (FAA) Order 6050.32.B, Chapter 3, Section 302. This FAA Order outlines the U.S. National Organizations and the role of the National Telecommunications and Information Administration (NTIA) in assigning and coordinating the Aviation Assignment Group (AAG) radio spectrum used by the FAA to support aeronautical services. Hence, the FAA must “authorize” aeronautical frequencies of broadcast applications that impact the AAG bands.” 

Ebola Notices  

Notice of Order Under Sections 362 and 365 of the Public Health Service Act Suspending Introduction of Certain Persons from Countries Where a Communicable Disease Exists. Federal Register CDC notice. 

Arrival Restrictions Applicable to Flights Carrying Persons Who Have Recently Traveled From or Were Otherwise Present Within the Democratic Republic of the Congo (DRC), Uganda, or South Sudan. CBP announcement. 

PFOA NPRMs  

Rescission of Regulatory Determinations and Removal of Related Provisions for Four PFAS Substances (PFHxS, PFNA, HFPO-DA (GenX), and the Mixture of These Three PFAS Plus PFBS). Federal Register EPA notice of proposed rulemaking. 

Extending the Compliance Deadline for the PFOA and PFOS Maximum Contaminant Levels. Federal Register EPA notice of proposed rulemaking. 

Review – Bills Introduced – 5-20-26

 Yesterday, with both the House and Senate in session, there were 89 bills introduced. One of those bills may receive additional coverage in this blog: 

S 4615 An original bill to authorize appropriations for fiscal year 2027 for intelligence and intelligence-related activities of the United States Government, the Intelligence Community Management Account, and the Central Intelligence Agency Retirement and Disability System, and for other purposes.  Cotton, Tom [Sen.-R-AR] 

For more information on these bills, including legislative history for similar bills, as well as a mention-in-passing of a bill that would provide biotech scale-up support, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-5-20-26-5a2 - subscription required. 

Review – Bills Introduced – 5-19-26

Yesterday, with both the House and Senate in session, there were 74 bills introduced. Four of those bills may receive additional coverage in this blog: 

HR 8870 To authorize funding for Federal-aid highways, bridge construction and rehabilitation, highway safety programs, transit programs, and rail programs, and for other purposes. Graves, Sam [Rep.-R-MO-6]   

HR 8880 To require the Comptroller General to evaluate Federal cybersecurity assistance to small business concerns, and for other purposes. Simon, Lateefah [Rep.-D-CA-12]   

S 4564 A bill to amend title 46, United States Code, to require the Secretary of the department in which the Coast Guard is operating to assess cybersecurity risks of certain software and hardware used in certain maritime facilities, and for other purposes. Scott, Rick [Sen.-R-FL]   

S 4565 A bill to ensure the security and integrity of United States critical infrastructure by establishing an interagency task force and requiring a comprehensive report on the targeting of United States critical infrastructure by People's Republic of China state-sponsored cyber actors, and for other purposes. Scott, Rick [Sen.-R-FL]   

For more information on these bills, including legislative history for similar bills in the 118th Congress, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-5-20-26 - subscription required. 

Note: Corrected the date in the title to reflect the date of introduction. 5-21-26