Today’s threat landscape highlights emerging vulnerabilities and active campaigns targeting operational technology (OT) and industrial control systems (ICS) across critical infrastructure sectors. From critical advisories exposing legacy system flaws to sophisticated malware targeting water treatment facilities, and state-linked attempts to disrupt energy production, the urgency for enhanced OT security measures remains paramount.
New OT-ISAC Advisory Exposes Critical Flaws Across Industrial Control and Management Systems
A recent OT-ISAC advisory consolidates multiple vulnerabilities disclosed in April 2026 that affect legacy field controllers, PLC ecosystems, industrial wireless infrastructure, and network management platforms. Notable issues include an unpatchable BASControl20 controller, authorization bypasses in AVEVA pipeline simulation software, weak password protections in Horner PLC workflows, and management-plane vulnerabilities in Siemens networking products. Although no active exploitation has been reported, the advisory warns of increasing threat actor interest within the next 30 to 90 days, urging organizations to prioritize patching, isolate unsupported systems, and enhance monitoring around critical management and remote access interfaces.
Source: Industrial Cyber
Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems
Darktrace researchers have identified ZionSiphon, a novel malware strain targeting OT systems in Israeli water treatment and desalination plants. First observed in mid-2025, the malware employs privilege escalation, persistence mechanisms, USB propagation, and multi-protocol ICS scanning to manipulate chlorine dosing and pressure controls via Modbus, DNP3, and S7comm. Although still in development, ZionSiphon demonstrates a sophisticated approach combining removable media spread with direct OT manipulation, signaling an evolving threat landscape for water infrastructure security.
Source: The Hacker News
Attackers Exploit DVR Command Injection Flaw to Deploy Mirai-Based IoT Botnet
FortiGuard Labs reports a new malware campaign leveraging CVE-2024-3721, a command injection vulnerability in TBK DVR systems, to deploy the Mirai-derived Nexcorium botnet. This campaign uses crafted requests to execute downloader scripts across multiple Linux architectures and exploits an additional Huawei router vulnerability to expand its network. Nexcorium maintains persistence via modified init files and cron jobs and conducts large-scale DDoS attacks including UDP, TCP SYN, and SMTP floods. Viakoo Labs emphasizes the necessity for agentless discovery, automated credential management, and firmware updates to mitigate IoT hygiene gaps exploited by such threats.
Source: Infosecurity Magazine
Pro-Russian Threat Actors Target Swedish Heat and Power Plant in Failed Cyberattack
In spring 2025, pro-Russian threat actors attempted to disrupt a Combined Heat and Power (CHP) facility in western Sweden by targeting its ICS infrastructure. The attack was unsuccessful due to embedded security controls. Swedish officials report a shift from traditional DDoS campaigns to direct OT targeting by Russian-linked groups, with similar incidents across Scandinavia. Security experts warn this trend may escalate to kinetic-level destruction using destructive malware like DynoWiper, capable of permanently disabling RTUs and PLCs, underscoring the critical need to fortify IT/OT boundaries in industrial environments.
Source: Information Security Buzz
NCSC Sounds Resilience Warning as Cyberattacks Threaten Real-World Disruption
The UK National Cyber Security Centre (NCSC) has issued a warning highlighting the rising threat of cyberattacks capable of causing real-world operational disruptions beyond data theft. NCSC Director Jonathon Ellison emphasized that advanced threat actors are increasingly able to target organizations critical to national economic infrastructure. The advisory shifts focus from purely prevention to resilience, advocating for sustained operation during attacks. Additionally, the NCSC notes the accelerating role of frontier AI in enabling faster, more sophisticated attacks, urging leadership to recognize severe cyber threats as an urgent national security and public safety priority.
Source: Resilience Media
As these developments illustrate, the OT and ICS threat landscape continues to evolve rapidly, demanding vigilant monitoring, proactive patching, and robust resilience strategies from organizations managing critical infrastructure. Maintaining secure IT/OT convergence remains essential to safeguarding operational continuity and national security interests.
