Daily OT Security News: July 14, 2026

Today’s threat landscape highlights an intensifying campaign by sophisticated state-sponsored actors targeting critical infrastructure, alongside emerging vulnerabilities in widely deployed OT, IoT, and industrial automation devices. The convergence of geopolitical tensions and evolving ransomware tactics underscores the urgent need for robust defense and resilience strategies within operational technology environments.

NSA, CISA, and 18 Allied Agencies Issue Urgent Joint Advisory on Russian FSB Router Attacks Against Critical Infrastructure

On July 14, 2026, the U.S. National Security Agency, CISA, FBI, and cybersecurity agencies from 12 allied nations issued a critical joint advisory warning of active exploitation by Russia’s FSB Center 16—known as Ghost Blizzard, Energetic Bear, and Dragonfly—targeting poorly secured routers within critical infrastructure sectors worldwide. The attackers focus on internet-facing Cisco devices, exploiting default SNMP community strings and the Cisco Smart Install protocol to extract sensitive configuration files containing network topologies, credentials, and VPN details. The advisory calls for immediate mitigation steps including upgrading to SNMPv3, disabling Cisco Smart Install, blocking related protocols at firewalls, enforcing strong unique passwords, and regularly updating firmware. This alert coincides with recent EU and UK sanctions linked to a failed December 2025 attack on Poland’s energy grid that could have left half a million civilians without power.

Read more: Industrial Cyber

EU and UK Sanction Russian Cyber Actors; FSB Center 16 Formally Blamed for Poland Energy Grid Attack

On July 13, 2026, the European Union and United Kingdom imposed coordinated sanctions on 24 Russian individuals and entities, formally attributing a series of critical infrastructure cyberattacks to Russia’s FSB Center 16. The sanctions follow confirmation that the group orchestrated a failed December 2025 cyberattack on Poland’s energy grid, which would have disrupted electricity supply to approximately 500,000 people during winter. The EU Council also targeted the Center for Applied Research of Special Developments (CARR), responsible for multiple attacks against EU government bodies, financial institutions, and media outlets. EU foreign policy chief Kaja Kallas condemned the misuse of cyber capabilities to disrupt public services and critical infrastructure, marking this sanctions package as the most significant Western response to Russian cyber aggression since 2022 and highlighting the growing threat to OT and ICS systems across Europe.

Read more: Nextgov

Critical Zero-Day RCE Vulnerability Disclosed in Lorex 2K Indoor Wi-Fi Security Camera (CVE-2026-15680)

The Zero Day Initiative disclosed a critical remote code execution vulnerability, CVE-2026-15680, affecting the Lorex 2K Indoor Wi-Fi Security Camera. The flaw exists in the device’s ‘sonia’ binary JSON request parser, which improperly handles user-supplied strings as format specifiers, enabling unauthenticated attackers to execute arbitrary code with root privileges remotely. This vulnerability underscores ongoing security challenges in consumer and prosumer IoT devices frequently deployed in residential and light commercial settings. Organizations using these cameras are advised to isolate affected devices on segmented networks and monitor for forthcoming patches. The disclosure highlights the persistent risks posed by IP cameras and similar devices that often lack robust update mechanisms and remain exposed on local networks.

Read more: BaseFortify / Zero Day Initiative

Dragos 2026 Report: Ransomware Groups Targeting Industrial OT/ICS Organizations Surged 49% Year-Over-Year

The Dragos 2026 OT/ICS Cybersecurity Year in Review reveals a 49% increase in ransomware attacks against industrial organizations in 2025, impacting approximately 3,300 companies globally. The SANS 2025 State of ICS/OT Cybersecurity Survey found that 22% of organizations experienced OT cybersecurity incidents within the past year, with 40% causing operational disruptions. Notably, Sophos reported that 93% of ransomware attacks on manufacturing entities included deliberate efforts to compromise backup systems, shifting backups from a last line of defense to a primary target. These findings emphasize the critical need for purpose-built OT backup and recovery strategies that accommodate legacy systems, air-gapped networks, and operator-driven recovery processes distinct from traditional IT disaster recovery approaches.

Read more: Acronis / Dragos 2026 OT/ICS Year in Review

CISA Vulnerability Bulletin Highlights Critical Flaws in B&R Industrial Automation APROL and Allwinner IoT Devices

CISA’s Vulnerability Summary Bulletin for the week of July 6, 2026 (SB26-194) details multiple high-severity vulnerabilities affecting OT and IoT environments. B&R Industrial Automation’s widely used APROL platform suffers from an improper certificate validation flaw (CVE-2026-6900) and an untrusted search path vulnerability (CVE-2026-6901), both addressed in the latest patch release R 4.4-01P5. Additionally, the Allwinner H616 TV Box TV98 exposes an Android Debug Bridge interface (CVE-2026-58378) that, if authorized, grants attackers root privileges. The bulletin also highlights Adobe ColdFusion CVE-2026-48316, a maximum-severity arbitrary code execution flaw rapidly exploited post-disclosure. OT and ICS asset owners are strongly encouraged to review the full bulletin and prioritize patching to mitigate risks to industrial automation and embedded IoT devices.

Read more: CISA

As cyber threats targeting operational technology continue to evolve rapidly, maintaining vigilance, timely patching, and adopting tailored security measures remain paramount. Stakeholders across OT, ICS, and IoT sectors must stay informed and proactive to safeguard critical infrastructure and ensure resilient industrial operations.

Share this