Today’s threat landscape reveals an evolving and complex environment for OT and ICS security, marked by state-sponsored campaigns, emerging malware delivery methods, and supply chain concerns. Meanwhile, advancements in asset visibility and regulatory developments aim to bolster defenses across critical infrastructure sectors.
Iranian APT Campaign Targets ICS and SCADA Systems
A joint advisory from multiple U.S. agencies including the FBI, CISA, NSA, and U.S. Cyber Command warns of an ongoing Iranian APT campaign targeting Industrial Control Systems. The threat actors exploit vulnerabilities in PLCs and SCADA systems, particularly Rockwell Automation/Allen-Bradley CompactLogix and Micro850 devices, as well as Siemens S7 PLCs. Attackers manipulate HMI displays and project files to bypass traditional defenses, focusing on water/wastewater, energy utilities, and municipal services. Despite a reported US-Iran ceasefire, agencies emphasize maintaining heightened vigilance.
Email-Delivered Worms Surge Despite Overall ICS Threat Decline
Research from Kaspersky and Securelist indicates a notable surge in email-delivered worms targeting ICS environments, even as overall ICS threat rates dropped to a three-year low of 19.7% in Q4 2025. The “Curriculum-Vitae-Catalina” phishing campaign distributed Backdoor.MSIL.XWorm malware by impersonating job applications aimed at HR personnel in industrial organizations. Africa saw the highest blocking rate of malicious objects at 27.3%, while the oil and gas sector experienced an increase in blocked threats during the quarter.
Chinese Cellular Modules Pose Growing Risks to US Critical Infrastructure
An analysis by the Foundation for Defense of Democracies highlights national security concerns related to Chinese-made cellular modules from Quectel and Fibocom, which dominate nearly half of the global market. These modules, embedded in over 30 billion IoT devices, enable remote firmware updates, potentially exposing critical infrastructure such as power grids, ports, hospitals, and military logistics to espionage or sabotage. The FDD urges the Department of Defense to impose procurement bans, mandate audits, and require FCC listing of these manufacturers.
Tenable Integrates Native OT Visibility into Tenable One Platform
Tenable has introduced VM-Native OT Discovery within its Tenable One platform, enabling seamless visibility of IT, OT, and IoT assets without additional hardware or agents. Early adopters uncovered between 100 and over 1,000 previously unknown OT/IoT assets upon initial deployment. With Gartner forecasting a doubling of cyber and cyber-physical attacks over the next three years, this unified exposure management approach is critical, especially given that 45% of modern OT compromises originate from IT environments.
TSA Seeks Public Input on Transportation Cybersecurity Reporting Rules
The Transportation Security Administration has issued a 60-day Federal Register notice soliciting stakeholder comments on proposed cybersecurity reporting requirements for 836 transportation operators including railroads, transit agencies, and bus operators. Proposed mandates include 72-hour incident reporting to CISA, designation of Cybersecurity Coordinators, and annual vulnerability assessments. Additionally, non-U.S.-citizen coordinators must hold trusted-traveler program membership. Comments are due by June 15, 2026.
OT and ICS security teams are advised to prioritize patching and monitoring of PLC and SCADA vulnerabilities, especially in critical sectors such as water and energy. Enhanced email security measures should be implemented to counter phishing campaigns delivering malware. Supply chain risks from embedded IoT components require rigorous vendor assessments and audits. Leveraging integrated visibility tools like Tenable One can improve asset awareness and risk management. Finally, organizations in regulated sectors should prepare for evolving reporting obligations by reviewing internal processes and designating qualified cybersecurity coordinators.
