Welcome to today’s cybersecurity briefing focused on operational technology (OT), industrial control systems (ICS), and critical infrastructure security. In the past 24 hours, multiple significant developments have emerged involving nation-state threat actors targeting U.S. critical infrastructure, new vulnerability disclosures, and budgetary concerns affecting key federal cybersecurity agencies. Below, we summarize the latest intelligence and advisories to help security professionals stay informed and prepared.
CISA and NERC Warn of Active Iranian Cyberattacks on U.S. Power Grid PLCs as Ceasefire Remains Fragile
The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Department of Energy (DOE) jointly issued advisory AA26-097A, alerting that Iranian-affiliated advanced persistent threat actors are actively targeting internet-exposed programmable logic controllers (PLCs) across U.S. critical infrastructure sectors, including power generation, water systems, and government facilities. The North American Electric Reliability Corporation (NERC) confirmed it is closely monitoring the grid and coordinating with DOE and the Electricity Subsector Coordinating Council. Attackers have conducted malicious interactions with PLC software and configuration settings, manipulated human-machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, and caused confirmed operational disruptions and financial losses. CISA estimates that between 600,000 and two million PLCs are deployed across U.S. critical infrastructure, many running legacy firmware with limited security support. Despite a recent two-week ceasefire announcement with Iran, experts warn the threat is unlikely to subside, urging organizations to urgently review their OT exposure and harden internet-facing industrial devices.
Source: Cybersecurity Dive
Censys Research: 5,219 Rockwell Allen-Bradley PLCs Exposed Online as Iran-Linked Actors Exploit Them Without Zero-Days
New research from Censys identified 5,219 internet-exposed hosts globally responding to EtherNet/IP (port 44818) and self-identifying as Rockwell Automation Allen-Bradley devices, with 74.6% located in the United States. The study reveals that Iran-linked threat actors are leveraging legitimate vendor software—specifically Rockwell Studio 5000 Logix Designer—to interact with PLC project files and manipulate HMI/SCADA displays without requiring zero-day exploits. This “living off the land” tactic blends malicious activity into normal engineering workflows. Targeted device families include CompactLogix and Micro850. Additionally, 49.1% of exposed PLCs are reachable via Verizon Business cellular networks, indicating field-deployed devices at pump stations, substations, and municipal facilities using cellular modems as their sole internet access. The research also found exposed VNC (771 instances) and Telnet (280 instances) services, providing direct remote desktop access to HMI workstations—precisely the attack vector described in the recent CISA advisory.
Source: Industrial Cyber
APT28 (Russian GRU) Exploits SOHO Routers for DNS Hijacking to Intercept Credentials Across Critical Infrastructure
The UK National Cyber Security Centre (NCSC) issued an advisory warning that APT28—also known as Fancy Bear or Forest Blizzard and linked to the Russian GRU’s Unit 26165—is exploiting vulnerable small office/home office (SOHO) routers to manipulate DNS settings and conduct large-scale adversary-in-the-middle (AitM) attacks. By altering DHCP DNS settings on compromised routers, APT28 redirects traffic for targeted services, particularly email and login pages, through attacker-controlled infrastructure to harvest credentials and authentication tokens. This campaign, active since 2024, targets TP-Link WR841N routers via CVE-2023-50224 and MikroTik devices. The advisory is especially relevant for OT environments relying on SOHO routers for remote field connectivity, where DNS poisoning could intercept engineering credentials and enable follow-on access to industrial control systems.
Source: Industrial Cyber
Trump’s Proposed $707 Million CISA Budget Cut Draws Alarm as Iranian OT Attacks Escalate
President Trump’s proposed fiscal year 2027 budget includes a $707 million cut—approximately 30%—to the Cybersecurity and Infrastructure Security Agency’s (CISA) funding. This proposal has drawn sharp criticism from cybersecurity professionals amid escalating Iranian cyberattacks targeting U.S. critical infrastructure OT systems. CISA functions as the primary federal liaison between government intelligence and private-sector critical infrastructure operators, with its ICS-CERT division providing essential ICS/OT security advisories. Experts warn that such cuts would severely impair CISA’s ability to issue timely advisories, conduct on-site assessments, and share threat intelligence with utilities and industrial operators. BreachLock CEO Seemant Sehgal remarked, “You don’t cut the fire department and then wonder why buildings burn.” The budget proposal comes as CISA simultaneously warns of active Iranian exploitation of PLCs across energy, water, and government sectors.
Source: Security Boulevard
CISA Issues 7 ICS Advisories Covering Critical Flaws in Schneider Electric, WAGO, and PTC Systems
This week, CISA released seven ICS security advisories addressing ten vulnerabilities across major industrial control system vendors including Schneider Electric, WAGO, and PTC. Notable findings include CVE-2025-49844, a use-after-free vulnerability in Schneider Electric’s Plant iT/Brewmaxx platform that can cause memory corruption and system compromise; CVE-2026-3587, a hidden functionality flaw in WAGO Managed Switches allowing attackers to bypass controls; and CVE-2026-4681, an unpatched code generation vulnerability in PTC Windchill PDMLink with no available fix. Additionally, CVE-2026-2417 in Pharos Controls Mosaic Show Controller involves missing authentication for critical functions, enabling unauthorized control of industrial systems. The broader vulnerability landscape this week tracked 1,960 total CVEs, with 248 having public proof-of-concept exploits, and CISA added four vulnerabilities to its Known Exploited Vulnerabilities catalog.
Source: Cyble Research & Intelligence Labs
This briefing is published daily by the Viakoo security team to keep OT, ICS, and critical infrastructure professionals informed of emerging threats and vulnerabilities. Stay vigilant and prioritize securing your operational environments.
