Today’s OT and IoT security landscape continues to evolve rapidly as adversaries leverage advanced technologies and exploit longstanding vulnerabilities in critical infrastructure. From AI-driven cyberattacks to sophisticated botnets and systemic efforts to enhance resilience, organizations must remain vigilant and adaptive to emerging threats that blur the lines between IT and OT environments.
World’s First AI-Directed Cyberattack Targets Mexican Water Utility’s OT Network
In a groundbreaking case analyzed by Dragos and Gambit Security, an unknown threat actor employed Anthropic’s Claude and OpenAI’s GPT models to orchestrate the first fully AI-directed cyberattack campaign targeting Mexican government entities. Between late 2025 and early 2026, the attackers exfiltrated millions of sensitive records, while the AI autonomously identified and attempted to breach a critical vNode industrial gateway within a Monterrey water utility’s OT network. Although the gateway’s authentication controls successfully thwarted the breach, the incident highlights how AI can drastically accelerate IT-to-OT targeting timelines, posing a new challenge for defenders. Dragos underscores the insufficiency of prevention-only OT security approaches and advocates for enhanced network visibility, detection, and response aligned with established ICS cybersecurity frameworks.
Source: Dragos
Taiwan High-Speed Rail Disrupted by Student Using SDR to Spoof TETRA Radio Signals
A 23-year-old university student in Taiwan exploited a nearly two-decade-old vulnerability in the TETRA radio system used by Taiwan High Speed Rail Corp to halt four trains for 48 minutes during a national holiday. By intercepting and cloning unrotated communication parameters with commercially available software-defined radio equipment, the attacker triggered emergency stop protocols that brought trains to an immediate halt. This incident exposed critical weaknesses in transport communication security and prompted the Ministry of Transportation to commit to infrastructure hardening measures. The case serves as a stark reminder that legacy systems with static configurations remain prime targets for disruption, necessitating urgent cybersecurity modernization in critical transport sectors.
Source: Security Affairs
CISA Launches ‘CI Fortify’ Initiative to Harden Critical Infrastructure Against Nation-State OT Attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has introduced ‘CI Fortify,’ a strategic program designed to prepare critical infrastructure operators for cyber scenarios involving disrupted communications and partial OT network compromise. Emphasizing emergency isolation and recovery, the initiative calls for disconnecting OT systems from third-party and business networks to maintain essential services during crises. CISA’s approach stresses layered control and containment beyond simple segmentation, urging vendors and service providers to address contractual and technical barriers to emergency isolation. This forward-looking strategy reflects a growing recognition that resilience in OT environments requires robust planning for degraded operational conditions and rapid recovery capabilities.
Source: Industrial Cyber
Australia Establishes Cyber Incident Review Board Modeled on U.S. CSRB to Strengthen OT Resilience
Australia has formalized its Cyber Incident Review Board (CIRB) under the Cyber Security Act 2024 to conduct no-fault, post-incident analyses of major cybersecurity events affecting critical infrastructure. Chaired by Telstra’s global CISO, Narelle Devine, the seven-member board includes leaders from key sectors such as energy, logistics, telecommunications, aerospace, and academia. Modeled after the U.S. Cyber Safety Review Board, the CIRB will focus on identifying systemic vulnerabilities and lessons learned, with a clear mandate covering OT and ICS environments. This initiative aligns with Australia’s broader cyber strategy to enhance national resilience by institutionalizing continuous learning and improvement from cyber incidents.
Source: Industrial Cyber
Mirai-Based xlabs_v1 Botnet Exploits Android Debug Bridge to Weaponize IoT Devices for DDoS
Researchers at Hunt.io have identified xlabs_v1, a new Mirai-derived botnet targeting Android devices with the Android Debug Bridge (ADB) service exposed on TCP port 5555. The botnet compromises a broad range of consumer IoT hardware, including Android TV boxes and residential routers, enrolling them into a DDoS-for-hire platform with bandwidth-tiered pricing. Employing 21 flood variants and advanced evasion techniques, xlabs_v1 primarily targets gaming servers and Minecraft hosts. The operator’s use of ChaCha20 encryption for build identifiers and the exploitation of default-enabled ADB ports highlight persistent security gaps in consumer IoT devices that continue to fuel large-scale attack infrastructures.
Source: The Hacker News
As these developments illustrate, OT and IoT security professionals must contend with increasingly sophisticated adversaries leveraging AI, legacy system vulnerabilities, and insecure default configurations. The convergence of IT and OT threats demands comprehensive defense-in-depth strategies that incorporate visibility, detection, rapid response, and resilience planning. Moreover, institutionalizing lessons learned through initiatives like Australia’s CIRB and CISA’s CI Fortify will be critical to advancing the maturity of OT security programs and safeguarding critical infrastructure against evolving cyber risks.
