“`html
Daily OT Security News: June 14, 2026
The threat landscape for operational technology continues to intensify as state-sponsored actors and criminal groups escalate attacks on critical infrastructure, from water utilities to maritime ports. Today’s briefing highlights emerging vulnerabilities in both legacy OT systems and modern security infrastructure that defenders must address urgently.
Iranian-Linked Handala Group Claims Breach of California Water Utilities
On June 12, 2026, the Iranian-linked cyber group Handala claimed responsibility for breaching water systems serving Bakersfield, Visalia, and Chico, California, publishing screenshots of customer billing data and asserting that 5 GB of data had been exfiltrated. The group framed the attack as retaliation for U.S. military strikes on Iranian water infrastructure. California Water Service (Cal Water) conducted a preliminary scan and found no evidence of compromise to its IT, water production, or delivery systems. Independent analysis confirmed the breach was limited to a GPS correction server (an internet-exposed RTKBase GNSS platform) and a customer billing database — neither of which controls water treatment or distribution. Security experts noted that Handala has a documented history of overstating its capabilities and transitioning from data theft to destructive operations, aligning with recent CISA warnings regarding Iranian interest in U.S. water infrastructure.
U.S. Probes Suspected Iranian Hack of Gas Station Automatic Tank Gauge Systems
U.S. authorities are investigating a suspected Iranian cyberattack targeting automatic tank gauge (ATG) systems at multiple gas stations across several states. ATG systems monitor underground fuel storage levels and are critical OT components for fuel inventory management and leak detection. Attackers reportedly accessed internet-exposed ATG units that lacked password protection, manipulating display readings without altering actual fuel levels. The incident underscores the ongoing risk posed by legacy OT devices connected directly to the internet without authentication controls, a vulnerability that CISA has previously warned about in advisories targeting fuel and energy sector infrastructure. The investigation is being conducted by U.S. federal agencies and is linked to the broader pattern of Iranian cyber operations against American critical infrastructure.
Source: CNN / MSN, June 14, 2026
Resecurity Warns of Escalating Ransomware and Supply Chain Attacks on Maritime Port OT Systems
Cybersecurity firm Resecurity has issued a threat intelligence warning about a growing wave of cyberattacks targeting port authorities and maritime operators worldwide, forecasting that threats will intensify through 2030 as geopolitical tensions and maritime digitalization converge. The report highlights a recent ransomware attack by the Anubis group against an Adriatic Port Authority in the EU, which disrupted operations and resulted in the theft of sensitive safety plans, staff records, and communications — with attackers demanding a $10 million ransom. Resecurity notes that the convergence of OT and IT in port environments has created new attack surfaces, with adversaries exploiting these integration points. Hybrid warfare tactics including GPS spoofing and AIS manipulation are increasingly prevalent, particularly in conflict-affected regions. The maritime sector handles approximately 90% of global trade, making it a high-value target for both disruptive and espionage-driven cyber operations.
Bitsight Report: ICS/OT Internet Exposure Plateaus at 170,000 Monthly — But Attack Surface Expands
Bitsight’s 2026 Global State of ICS/OT Exposure report reveals that internet-facing industrial control systems have plateaued at approximately 170,000 monthly exposures. While the raw count has stabilized, the overall risk profile is expanding because modern ICS devices increasingly support non-traditional protocols — including SSH, HTTP, and MQTT — alongside legacy industrial protocols, significantly widening the attack surface. This protocol diversification makes it harder for defenders to enumerate and monitor exposed assets using traditional OT-focused scanning tools. The report serves as a reminder that static exposure counts can be misleading: even flat numbers mask qualitative increases in exploitability as OT systems adopt IT-style connectivity. Organizations are urged to implement continuous OT asset discovery and protocol-aware monitoring to keep pace with this evolving landscape.
Critical Splunk Enterprise Flaw (CVSS 9.8) Enables Unauthenticated Remote Code Execution
Splunk has released emergency security updates to address CVE-2026-20253, a critical vulnerability rated CVSS 9.8 in Splunk Enterprise versions below 10.2.4 and 10.0.7. The flaw resides in a PostgreSQL sidecar service endpoint that lacks authentication controls, allowing any network-reachable unauthenticated user to create or truncate arbitrary files — and, via a chained exploit demonstrated by watchTowr Labs, achieve full remote code execution. Splunk is widely deployed as a SIEM and log aggregation platform in OT/ICS environments and security operations centers. Exploitation of this vulnerability could allow attackers to compromise security monitoring infrastructure, blind defenders to ongoing OT incidents, or pivot into connected industrial networks. Splunk Cloud is not affected. Organizations running on-premises Splunk Enterprise deployments are urged to apply patches immediately, as technical exploit details are now publicly available.
Source: The Hacker News, June 13, 2026
Closing Remarks: Today’s threat intelligence underscores the critical importance of asset visibility, authentication controls, and timely patching across OT and security infrastructure. Whether facing state-sponsored adversaries targeting water and energy systems or ransomware operators targeting maritime operations, organizations must prioritize continuous monitoring, network segmentation, and rapid incident response. Stay vigilant and ensure your security teams are equipped with the latest threat intelligence and defensive capabilities.
“`
