July 10, 2026 — Today’s OT/IoT threat landscape underscores a widening aperture of risk and a quickening tempo of change. Iranian-linked hacktivists are conducting broad, opportunistic scans for any exposed industrial device, while aging, end-of-life IoT hardware continues to expand unmanageable attack surface. At the same time, AI-accelerated vulnerability research is compressing disclosure timelines, Microsoft has issued an emergency fix for a Defender zero-day with implications for OT workstations, and Australia is advancing regulatory reforms to address AI-enabled threats to critical infrastructure. Security leaders should double down on exposure reduction, resilient patching strategies, identity controls, and continuous monitoring tuned to OT realities.
Iran’s Cyber Crosshairs Focus Beyond Critical Infrastructure
Iranian-linked groups such as Handala and Ababil of Minab are pursuing “Shodan Safaris” to opportunistically target any Internet-exposed OT/ICS device with weak or default credentials and unpatched flaws, expanding beyond traditional critical infrastructure targets. Recent incidents include a remote wipe impacting over 200,000 hosts at Stryker and a compromise of the Vyncs GPS tracking platform, with adversaries leaning on five-year-old CVEs (e.g., CVE-2021-22681 on Rockwell PLCs) and stolen credentials from illicit markets. Recommended defenses include rigorous attack surface management, phishing-resistant MFA for externally reachable OT systems, prioritized patching, and monitoring of Telegram channels where operations are announced.
Source: Dark Reading
Cybersecurity Strategies for Managing End-of-Life Industrial IoT Devices
End-of-life (EOL) industrial IoT devices are an often-underestimated risk because discontinued vendor support eliminates patch pathways, leaving known exploits indefinitely viable in production OT networks. The article highlights how weaponized IoT, exemplified by the 2016 Mirai botnet, can disrupt operations and urges defenders to maintain full asset inventories, segment or isolate legacy devices, and apply compensating controls (virtual patching, enhanced monitoring, strict access management) until secure decommissioning is completed. Continuous monitoring for anomalous traffic from legacy hardware is essential to detect abuse before it propagates.
Source: Automation.com
Forescout Joins Anthropic’s Cyber Verification Program to Accelerate OT/IoT Vulnerability Research
Forescout’s Vedere Labs has joined Anthropic’s Cyber Verification Program, gaining structured access to frontier AI models to advance dual-use security research across OT, IoT, and IoMT devices. Their 2026 Riskiest Devices findings show risk migrating into under-monitored classes such as serial-to-IP converters, BACnet routers, RFID readers, and medical image printers, with recent campaigns like BRIDGE:BREAK, SUN:DOWN, and DRAY:BREAK exposing broad weaknesses. AI-assisted workflows are expected to shorten the cycle from discovery to coordinated disclosure, implying faster-moving patch, mitigation, and detection requirements for asset owners.
Source: Forescout Blog
Microsoft Patches RoguePlanet Zero-Day (CVE-2026-50656) in Windows Defender
Microsoft issued an out-of-band update for RoguePlanet (CVE-2026-50656), a high-severity elevation-of-privilege flaw in Windows Defender that, while requiring local access, enables escalation to SYSTEM and can be used to disable protections, dump credentials, and gain persistence. A public proof-of-concept from “Nightmare-Eclipse” raises the likelihood of rapid weaponization, and the ubiquity of Defender on OT HMIs and engineering workstations amplifies operational risk. Organizations should confirm receipt of Microsoft Malware Protection Engine version 1.1.26060.3008 and monitor for privilege escalation indicators and Defender tampering across both enterprise and OT segments.
Source: Dark Reading
Australia’s CISC Advances SOCI Act Reforms to Address AI-Enabled Cyber Threats to Critical Infrastructure
Australia’s Cyber and Infrastructure Security Centre (CISC) is consulting on 21 proposed measures to modernize the Security of Critical Infrastructure Act 2018, with feedback due by July 31, 2026. The reforms aim to streamline regulation, refine sector and asset coverage, and explicitly address AI-enabled cyber threats, supply chain risks, and the energy transition, while reinforcing fundamentals like patching, access control, and network segmentation. Notably, Mandatory Cyber Incident Reporting (MCIR) obligations now expressly include AI-assisted incidents, signaling heightened expectations for visibility and timely reporting.
Source: Industrial Cyber
Key takeaways: reduce exposure, modernize controls, and accelerate detection. Immediately inventory and lock down any Internet-exposed OT/IoT assets; enforce phishing-resistant MFA on externally accessible systems; and prioritize patch validation and deployment, including confirming the latest Microsoft Malware Protection Engine across OT workstations. Treat EOL devices as high-risk: segment them, implement compensating controls, and plan decommissioning with strict data sanitization. Expand monitoring to “blind spot” device classes like serial-to-IP converters, BACnet routers, RFID readers, and medical image printers, and ingest relevant threat intelligence (including hacktivist Telegram channels) to adjust defenses in near real time. Finally, prepare for evolving regulatory expectations—validate incident reporting workflows, ensure AI-related detections are captured and triaged, and align operational resilience plans with sector guidance and forthcoming SOCI Act updates.