The operational technology (OT), industrial control systems (ICS), and Internet of Things (IoT) security landscape continues to face unprecedented challenges in 2026. As threat actors grow increasingly sophisticated and state-sponsored campaigns expand globally, defenders must remain vigilant to protect critical infrastructure from escalating risks.
Nation-State APT Groups Target Energy & Utilities Sector in 66% of Observed Campaigns
New research from CYFIRMA reveals that the energy and utilities sector appeared in 66.6% of all observed advanced persistent threat (APT) campaigns over the last three months, making it the most heavily targeted industry by state-linked actors. Chinese groups Mustang Panda, Volt Typhoon, and MISSION2074, along with North Korea’s Lazarus Group and Russia-linked Sandworm, conducted attacks across 18 countries. The study also highlights AI-assisted strikes on Mexican energy infrastructure and destructive Lotus wiper attacks targeting Venezuelan systems, marking a dangerous increase in both sophistication and scope of OT-targeted threats.
Source: Industrial Cyber
SYLVANITE Threat Group Breaches U.S. Utility DMZs via Zero-Day Exploits, Pre-Positions for OT Manipulation
Blackswan Cybersecurity warns that the SYLVANITE threat group has breached U.S. utility demilitarized zones by exploiting zero-day vulnerabilities in perimeter edge devices such as SAP NetWeaver and Ivanti products. Unlike financially motivated ransomware actors, SYLVANITE is conducting detailed reconnaissance and mapping of industrial control loops, signaling preparation for operational disruption. This advisory aligns with recent CISA alerts exposing critical vulnerabilities in Hitachi Energy, MACH HiDraw, and Schneider Electric controllers, alongside urgent warnings to secure internet-exposed Automatic Tank Gauge systems against Iranian-linked campaigns.
Source: Blackswan Cybersecurity
CISA Issues Binding Operational Directive 26-04: Risk-Based Vulnerability Patching Now Mandatory for Federal Agencies
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released Binding Operational Directive 26-04, requiring federal civilian agencies to prioritize patching only the highest-risk vulnerabilities within three days. The directive emphasizes patching vulnerabilities that are publicly exposed, fully automatable to exploit, grant full system control, and are cataloged in the Known Exploited Vulnerabilities list. Importantly, agencies must also assess if systems have been compromised prior to patching, acknowledging that remediation extends beyond patch deployment. CISA encourages critical infrastructure operators and other organizations to adopt this risk-based approach.
Source: Industrial Cyber
Fortinet 2026 OT Security Report: Maturity Improving but Visibility Gaps and Ransomware Persist
Fortinet’s 2026 State of Operational Technology and Cybersecurity Report, surveying over 700 OT professionals worldwide, reveals progress alongside persistent challenges. While fewer organizations rate their security at the highest maturity level—dropping from 49% to 17%—this reflects increased visibility into real gaps. Ransomware remains a concern for half of respondents, and only 14% report full OT system visibility. Positive trends include reduced simultaneous IT/OT intrusions, down from 60% to 24%, suggesting improved segmentation is limiting attack spread, though attacker dwell times have lengthened.
Source: Fortinet
MS-ISAC Loses 70% of Membership After Federal Funding Cut, Leaving Critical Infrastructure Exposed
Following an eight-month loss of federal funding, the Multi-State Information Sharing and Analysis Center (MS-ISAC) has seen membership collapse from over 18,500 to roughly 5,600 organizations. Key states including Washington, Colorado, Michigan, and Kentucky have withdrawn, leaving thousands of local jurisdictions without vital cyber threat intelligence and incident response support. Experts warn this erosion of resources creates dangerous blind spots amid active cyber campaigns by China and Iran, while legislative efforts are underway to restore federal funding and rebuild capabilities.
Source: Cybersecurity Dive
As the threat landscape grows more complex and adversaries more resourceful, staying informed and vigilant remains essential for protecting critical OT, ICS, and IoT environments. Continued attention to emerging risks and best practices will be key to resilience in the months ahead.
