Daily briefing covering the latest cybersecurity incidents, vulnerabilities, and regulatory developments affecting Operational Technology (OT), Industrial Control Systems (ICS), Internet of Things (IoT), and Cyber-Physical Systems (CPS) — April 16, 2026.
ZionSiphon: New OT Malware Targets Israeli Water Treatment and Desalination Systems
Darktrace researchers have published a detailed analysis of ZionSiphon, a sophisticated OT-focused malware sample that combines privilege escalation, persistence mechanisms, USB propagation, and ICS scanning capabilities with sabotage functions aimed at chlorine dosing and pressure controls. The malware restricts execution to Israeli IP address ranges and contains hardcoded references to Israel’s national water company Mekorot and four major desalination plants — Sorek, Hadera, Ashdod, and Palmachim. Embedded Base64-encoded strings reveal politically motivated messaging attributed to a threat actor identifying as ‘0xICS’. The malware’s IsDamDesalinationPlant() function scans for process names and file paths associated with reverse osmosis, chlorine control, and SCADA systems, underscoring the growing experimentation with targeted, politically motivated attacks against critical water infrastructure globally.
Source: Darktrace Blog
Sweden Confirms Failed Pro-Russian Cyberattack on Heating Plant Amid Escalating European Energy Threats
Swedish Civil Defense Minister Carl-Oskar Bohlin has publicly confirmed for the first time that a pro-Russian group linked to Russian intelligence attempted to compromise a heating plant in western Sweden in 2025. The failed attack is part of a broader pattern of over 150 incidents of sabotage and malign activity across Europe tracked by Western officials since Russia’s full-scale invasion of Ukraine in February 2022. Similar operations have struck energy facilities in Poland serving 500,000 residents, and a 2024 cyberattack in Denmark disrupted a water utility. Norwegian authorities also reported hackers remotely opening a dam valve. Officials say the overarching goal of these hybrid warfare campaigns is to undermine European support for Ukraine, spread societal fear, and drain investigative resources from affected nations.
Source: Security Affairs
U.S. Air Force Establishes First Military OT Cybersecurity Office — CROCS Reaches Initial Operating Capability
The U.S. Air Force’s Cyber Resiliency Office for Control Systems (CROCS) has reached initial operating capability, making the Air Force the first American military service with a dedicated OT cybersecurity office. Announced at an industry conference by Department of the Air Force Principal Cyber Advisor Wanda Jones-Heath, CROCS was first committed to in the Air Force’s May 2021 OT security strategy but took two years of internal advocacy to establish. CROCS Director Daryl Haegley told ISMG that a key milestone was getting OT security costs incorporated into the Department of Defense’s five-year Program Objective Memorandum budget process, enabling funding for assessments, mitigation, and training. The office is modeled after the Air Force’s Cyber Resiliency Office for Weapon Systems and aims to break down reporting silos, coordinate with U.S. Cyber Command, and build a qualified OT cyber defender workforce — recognizing that military bases function as small towns entirely dependent on OT systems for power, water, and access control.
Source: GovInfoSecurity
Tenable Launches VM-Native OT Discovery Engine to Unify IT and Cyber-Physical Risk Visibility
Tenable has unveiled a new VM-Native OT Asset Discovery capability integrated directly into its Tenable One Exposure Management Platform, eliminating the need for specialized hardware, additional agents, or standalone OT sensors. The engine enables security teams to discover and inventory OT, IoT, and shadow IT assets — from factory floor PLCs to HVAC systems and badge readers — within a single unified risk view. Early access customers across hospitality, financial services, education, food and beverage, and government sectors uncovered between 100 and 1,000-plus previously unknown assets upon initial deployment, many carrying critical vulnerabilities. Tenable Chief Product Officer Eric Doerr noted that 45% of modern OT compromises originate in IT environments, and that Gartner projects cyber and cyber-physical attacks will double over the next three years. The new capability is available to all Tenable One, Tenable Vulnerability Management, and Tenable Security Center customers.
Source: Help Net Security
DDoS Attacks Emerge as Serious Threat to Solar PV SCADA Systems and Grid-Connected Energy Infrastructure
A detailed analysis published by pv magazine highlights the growing risk that Distributed Denial-of-Service (DDoS) attacks pose to networked solar photovoltaic systems, battery energy storage systems (BESS), and their associated SCADA and monitoring platforms. By flooding inverters, gateways, and cloud monitoring interfaces with traffic, attackers can sever communications between controllers and operators, potentially causing system instability, undetected faults, and financial losses from disrupted grid participation. SolarDefend Managing Director Uri Sadot cited a 2024 incident in which 800 Contec monitoring devices were hijacked to form a DDoS botnet targeting solar infrastructure. Experts recommend layered defenses including traffic filtering, rate limiting, network segmentation, CDN-based mitigation services, and intrusion detection systems integrated with automated response capabilities to protect energy assets against this escalating threat vector.
Source: pv magazine
