Daily OT Security News: June 16, 2026

“`html

Welcome to the Daily OT Security News briefing for June 16, 2026. Today’s coverage spans critical infrastructure threats, regulatory developments, and emerging cyber-physical risks across water utilities, food production, maritime operations, and transportation sectors. These stories underscore the persistent targeting of operational technology environments by state-sponsored actors and criminal groups, alongside the regulatory momentum driving security maturity across regulated industries.

Iran-Linked Handala Group Breaches California Water Service, Exposing IT/OT Pathways

The Iran-linked threat group Handala, assessed as a MOIS-affiliated front also tracked as Void Manticore and Storm-0842, has claimed responsibility for breaching California Water Service (Cal Water), one of the largest U.S. water utilities serving approximately two million customers. According to threat intelligence firm Dataminr, the group released a 5 GB proof-of-concept data dump containing customer billing information, personally identifiable information (PII), and administrative credentials for an internal RTKBase GPS correction network. The RTKBase platform—a lightweight open-source GNSS application often deployed on Raspberry Pi hardware with minimal authentication—is assessed as the probable initial access vector or lateral pivot point that enabled access to the billing environment. While no disruption to water treatment or distribution systems has been confirmed to date, Handala possesses destructive wiper malware and has previously escalated from data theft to destructive operations, raising serious concerns about potential future attacks on operational systems. Dataminr urges all utilities to rotate compromised credentials immediately, verify that RTKBase and similar NTRIP interfaces are not internet-exposed, and conduct thorough reviews of network segmentation between operational support systems and customer data environments.

Ransomware Attack Forces Mackay Sugar to Shut Down Australian Mills

Australia’s second-largest raw sugar producer, Mackay Sugar, has been struck by a ransomware attack attributed to the Gentlemen group, tracked by Microsoft as Storm-2697, forcing the shutdown of two of its three Queensland cane-processing mills. The attack, which came to light on June 10, disrupted cane supply and logistics systems and halted harvesting operations, demonstrating the direct impact of cyber incidents on food production and supply chains. The company has since commenced limited manual crushing at one mill and reports significant progress in system restoration, with steam trials underway ahead of a staged restart. It remains unclear whether industrial control systems (ICS) or operational technology (OT) were directly reached or only indirectly affected through IT system compromise, highlighting the blurred boundaries between IT and OT environments in modern manufacturing facilities. The Gentlemen group, active since mid-2025, employs malware with worm-like lateral movement capabilities and has listed more than 500 alleged victims on its Tor-based leak site. No data has been published for Mackay Sugar as of this writing, though the threat of extortion remains.

Cisco Patches Eighth SD-WAN Zero-Day of 2026 as CISA Adds CVE-2026-20262 to KEV Catalog

Cisco has disclosed and patched CVE-2026-20262, a medium-severity arbitrary file write vulnerability in Catalyst SD-WAN Manager that has already been exploited in limited, likely targeted attacks. An attacker with valid write-access credentials can send specially crafted HTTP requests to an affected API endpoint to create or overwrite files on the underlying operating system, with the potential to escalate to root-level privileges. CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on the same day, requiring federal agencies to remediate by June 29. This marks the eighth Cisco SD-WAN vulnerability confirmed exploited in 2026, a troubling pattern consistent with a sophisticated, possibly state-sponsored threat actor systematically targeting network infrastructure that often serves as a critical bridge between enterprise IT and operational technology environments. Organizations running Catalyst SD-WAN Manager should apply available patches immediately and conduct thorough audits for signs of unauthorized file creation or privilege escalation activity that may indicate prior compromise.

U.S. Coast Guard Expands Maritime OT Cybersecurity Framework with New Risk Assessment Guidance

The U.S. Coast Guard has released expanded policy and implementation guidance to help regulated maritime entities comply with its cybersecurity regulations for U.S.-flagged vessels, facilities, and Outer Continental Shelf (OCS) facilities. The guidance makes the Cybersecurity Assessment (CSA) the foundational first step in a continuous maturity process, aligned with the NIST Cybersecurity Framework, and clarifies how organizations should designate critical IT and OT systems. Requirements include maintaining a Coast Guard-approved Cybersecurity Plan, designating a 24/7-available Cybersecurity Officer (CySO), conducting annual audits and biannual drills, implementing multifactor authentication and least-privilege access, and ensuring robust network segmentation between IT and OT environments. The rules explicitly prohibit exposing OT to the public internet without documented operational justification and mandate prompt remediation of known exploited vulnerabilities. The guidance also addresses supply-chain security, vendor oversight, and continuous monitoring—areas of growing concern given the interconnected nature of modern maritime operations and the critical role of shipping in global commerce.

Nozomi Networks: OT/IoT Convergence Turns Connected Airports into High-Risk Cyber-Physical Targets

A new analysis from Nozomi Networks highlights how the convergence of OT, IoT, and IT systems in modern airports creates a sprawling cyber-physical attack surface that is increasingly targeted by nation-state actors, ransomware operators, and hacktivists. The report points to the September 2025 ransomware attack on Collins Aerospace’s MUSE check-in platform—which cascaded across Heathrow, Brussels, Berlin, and Dublin—as a defining example of how a single compromised supplier can disrupt operations across multiple airports and demonstrate the systemic risk posed by interconnected infrastructure. Nozomi’s research finds that roughly 72% of attack techniques in real cyber-physical incidents target OT endpoints such as HMIs, engineering workstations, and data historians rather than PLCs directly, suggesting that adversaries are increasingly sophisticated in their targeting of human-machine interfaces and information systems that control operational processes. IoT devices including surveillance cameras, HVAC controllers, and access-control readers are identified as particularly vulnerable due to weak authentication, default credentials, and limited monitoring capabilities. The analysis also notes that AI is now being integrated into adversarial operations across reconnaissance, lateral movement, and payload delivery, representing a significant escalation in attacker sophistication. EASA Part-IS regulations, which came into force for airport operators in October 2025, now mandate asset inventory, risk management, continuous monitoring, and incident reporting—with non-compliance penalties of up to 4% of annual turnover, creating strong incentives for security investment.

Daily OT Security News: June 16, 2026

Iran-Linked Handala Group Breaches California Water Service, Exposing IT/OT Pathways

Ransomware Attack Forces Mackay Sugar to Shut Down Australian Mills

Cisco Patches Eighth SD-WAN Zero-Day of 2026 as CISA Adds CVE-2026-20262 to KEV Catalog

U.S. Coast Guard Expands Maritime OT Cybersecurity Framework with New Risk Assessment Guidance

Nozomi Networks: OT/IoT Convergence Turns Connected Airports into High-Risk Cyber-Physical Targets

Share this

Recent Posts

Awards - Briefs - Solutions