Today’s OT/ICS threat landscape is marked by high-impact intrusions, rapidly exploited vulnerabilities in widely deployed security platforms, and an elevated government focus on resilience for critical infrastructure. Operators should prioritize patching, network segmentation, credential hygiene, and contingency planning as adversaries and geopolitical tensions increase the risk to industrial and operational environments.
Iran-Linked Handala Group Breaches California Water Service, Dumps 5GB of Data
The Tehran-linked actor known as Handala (also tracked as VOID MANTICORE) claimed responsibility for a breach at California Water Service (Cal Water), an investor-owned utility serving roughly two million customers. According to reporting and third-party analysis, the group exfiltrated approximately 5 gigabytes of data—customer names, addresses, phone numbers, account numbers, payment histories and administrative credentials—by exploiting an exposed RTKBase GPS correction platform that was reachable over HTTP on port 10000. Dataminr assessed the RTKBase instance as the likely entry point, with the attacker pivoting into billing systems. Handala framed the intrusion as politically motivated retaliation and asserted it could have caused widespread disruption; security experts warn the stolen credentials and network reconnaissance (IP maps across seven districts) materially increase the risk of a destructive follow-on operation. Cal Water reported no evidence of intrusion into water production or delivery systems, but the incident underscores the need for strict access controls, rapid credential rotation, and hardened segmentation between engineering and business networks.
CISA Warns Critical Infrastructure Will Be Successfully Hacked in Peer-State Conflict, Launches CI Fortify
CISA’s Acting Director Nick Andersen warned at the Critical Effect conference that U.S. critical infrastructure — including water, power and banking systems — will almost certainly be compromised by sophisticated adversaries in the event of a military confrontation with a peer state. In response, CISA has launched CI Fortify, a program redirecting OT assessment resources to prepare service providers to operate in degraded conditions without reliable internet or supervisory systems. The agency’s plan includes 75–100 focused CI Fortify assessments over the coming year and a major EPA-led water sector exercise next month. CI Fortify emphasizes “ruthless prioritization,” emergency planning, and validation of manual or fallback procedures for when SCADA, telemetry and centralized controls are unavailable or untrusted.
GovInfoSecurity – June 18, 2026
CISA Releases Eight ICS Advisories Covering Rockwell, Schneider Electric, and Mitsubishi Equipment
On June 18 CISA published eight new ICS advisories addressing vulnerabilities across widely deployed industrial products, including Rockwell Automation FactoryTalk Historian SE, multiple Schneider Electric systems (EasyLogic T150, Saitel DP, Easergy, EcoStruxture, PowerLogic), Mitsubishi Electric MELSEC iQ‑F Series and FX5‑ENET/IP modules, as well as AVer PTC cameras and AzeoTech DAQFactory. These advisories follow five additional Rockwell-related advisories released on June 16 and coincide with a KEV catalog update. Affected assets are common in water, wastewater and energy environments; asset owners should review the advisories, apply vendor mitigations or patches, and validate compensating controls such as network segregation and access restrictions to reduce exposure.
WaterISAC / CISA – June 18, 2026
Splunk Enterprise CVE-2026-20253 Actively Exploited Days After Disclosure; CISA Orders Federal Patch by June 21
A critical unauthenticated remote code execution vulnerability in Splunk Enterprise (CVE-2026-20253) is being actively exploited in the wild shortly after disclosure, prompting CISA to add the flaw to its KEV catalog and mandate federal agencies patch by June 21. The vulnerability stems from an unauthenticated PostgreSQL sidecar endpoint that allows arbitrary file creation or truncation, enabling full remote code execution when reachable. Splunk issued fixes in versions 10.2.4 and 10.0.7 on June 10, and a public proof-of-concept by WatchTowr preceded observed exploitation confirmed by Splunk on June 18. Given Splunk’s ubiquitous role as a SIEM and log aggregator in OT and critical infrastructure environments, organizations must urgently apply vendor patches, isolate exposed management interfaces, and search log sources for indicators of compromise.
Cisco Patches Critical ISE Vulnerability CVE-2026-20181 Enabling Root Access on Network Access Control Systems
Cisco released fixes for a critical command execution vulnerability in Identity Services Engine (ISE) and ISE‑PIC (CVE-2026-20181, CVSS 9.1) that permits an authenticated administrator to send crafted HTTP requests and escalate to root on the underlying OS. In single-node deployments exploitation may also cause a denial-of-service that prevents endpoint network access. Cisco simultaneously addressed CVE-2026-20190, a high-severity information disclosure that could expose hashed credentials. Patches are available in ISE/ISE‑PIC 3.3 Patch 11 and 3.4 Patch 6, with a 3.5 hotfix and a full patch scheduled for August. Although Cisco PSIRT reports no known active exploitation to date, organizations that use ISE for OT network segmentation and NAC should apply updates promptly and verify integrity of access-control configurations.
SecurityAffairs – June 18, 2026
Maintaining OT/ICS resilience requires continuous vigilance: timely patching, rigorous access controls, proactive incident-playbook testing, and plans to operate safely under degraded or disconnected conditions. Security teams should treat these developments as a prompt to validate defenses and ensure operational continuity for critical services.
