Welcome to the Daily OT Security News for May 2, 2026. Today’s briefing highlights critical vulnerabilities affecting OT and IoT platforms, new government guidance on zero-trust implementation for operational technology, evolving ransomware threats targeting critical infrastructure, and escalating destructive cyberattacks linked to Iran. Staying informed and proactive remains essential as adversaries increase their sophistication in targeting industrial environments.
CISA Issues Advisory on Critical Vulnerability in NSA’s GRASSMARLIN OT Mapping Tool (CVE-2026-6807)
CISA has released advisory ICSA-26-118-01 revealing a critical vulnerability (CVSS 9.1) in GRASSMARLIN, an NSA-developed open-source tool used for passive ICS/OT network mapping. The flaw enables attackers to exfiltrate sensitive files, risking exposure of detailed industrial infrastructure maps and facilitating lateral movement within OT networks. Since GRASSMARLIN reached end-of-life in 2017, no patches are forthcoming; organizations must immediately remove or isolate the tool to mitigate risk.
Source: Tech Jacks Solutions / CISA Advisory ICSA-26-118-01
EnOcean SmartServer IoT Platform Vulnerabilities Enable Remote Takeover of Smart Buildings and Factories
Researchers at Claroty identified two critical vulnerabilities (CVE-2026-22885 and CVE-2026-20761) in the EnOcean SmartServer IoT platform that could permit remote attackers to fully compromise smart buildings, data centers, and factory environments. Exploiting improper packet validation, attackers gain root privileges and arbitrary code execution on the Linux-based devices, bypassing memory defenses and gaining control of building automation systems. EnOcean has issued SmartServer 4.6 Update 2 to remediate these flaws amid proof-of-concept exploit disclosures.
Source: SC Media
U.S. Agencies Release Zero-Trust Guidance Specifically for Operational Technology Environments
A coalition of U.S. federal agencies including CISA, FBI, and the Departments of Defense, Energy, and State published comprehensive guidance on implementing zero-trust architectures in OT environments. The recommendations address legacy system constraints, availability, and safety considerations by advocating governance frameworks, supply chain oversight with software bills of materials, network segmentation, identity management, and layered compensating controls. The guidance underscores the necessity of collaboration across IT, OT, and cybersecurity teams to secure critical infrastructure beyond technology alone.
Source: TechTarget SearchSecurity / CISA
NightSpire Ransomware Group Claims 259 Victims, Transitions to RaaS Model Targeting Critical Infrastructure
NightSpire, a ransomware group first identified in February 2025, has claimed responsibility for 259 victims worldwide and announced a shift to a ransomware-as-a-service (RaaS) model as of April 2026. The group exploits a Fortinet FortiOS vulnerability (CVE-2024-55591) for initial access, leverages living-off-the-land tactics for lateral movement, and employs a unique OneDrive encryption method that corrupts files without altering icons or extensions, delaying detection. Their double extortion strategy includes aggressive 48-hour ransom deadlines to maximize pressure on victims.
Source: Barracuda Networks Blog
Iran-Linked Threat Actors Escalate Destructive Cyberattacks on U.S. Critical Infrastructure
Since February 2026, Iranian-backed cyber threat groups have intensified destructive campaigns against U.S. critical infrastructure, deploying data-wiping malware targeting programmable logic controllers and Rockwell Automation devices. Notable incidents include a wiper attack on medical device manufacturer Stryker and ongoing threats to water systems. CISA warns that internet-accessible OT assets with weak security posture remain highly vulnerable and urges organizations to remove internet-facing devices, enable multifactor authentication, and harden administrative accounts.
Source: TechTarget SearchSecurity / Cybersecurity Dive
As adversaries continue to evolve their tactics and target OT environments with increasing sophistication, it is imperative for organizations to maintain vigilance, prioritize patching and mitigation, and foster cross-domain collaboration to protect critical industrial assets.
