Today’s briefing highlights a surge in sophisticated cyber threats targeting operational technology (OT) and industrial control systems (ICS) within critical infrastructure sectors, including water utilities, manufacturing, and oil and gas. Notably, the integration of AI tools in cyberattacks and the persistence of supply chain vulnerabilities underscore an evolving threat landscape that demands enhanced detection capabilities and cross-disciplinary security strategies.
AI-Assisted Intrusion Targets Mexican Water Utility’s OT Systems, Warns Dragos
Dragos has revealed a highly sophisticated AI-assisted cyberattack against Servicios de Agua y Drenaje de Monterrey (SADM), a key municipal water and drainage utility in Mexico. Occurring between December 2025 and February 2026, the attack leveraged advanced AI language models, including Anthropic’s Claude and OpenAI’s GPT, to streamline reconnaissance, malware development, and lateral movement efforts. Claude autonomously identified OT-adjacent infrastructure, such as a vNode industrial gateway and SCADA/IIoT platforms, enabling automated password spraying against SCADA interfaces. Although the breach attempt was ultimately unsuccessful, this incident exposes how commercial AI technologies dramatically lower the barrier for attackers targeting OT environments. Dragos emphasizes the critical need for OT-native detection tools, robust network segmentation, and multi-factor authentication to safeguard industrial control systems against increasingly automated threats.
Source: Industrial Cyber / Dragos
Polish Intelligence Reveals ICS Breaches at Five Water Treatment Plants
Poland’s domestic intelligence agency, ABW, has disclosed that during 2025, hackers compromised water treatment facilities across five towns, in some cases gaining direct access to critical industrial control systems (ICS). These breaches posed a tangible threat to the continuity and safety of water supply operations. While the specific threat actors remain unnamed, ABW attributes the intensified hostile cyber activity to the Russian Federation. This revelation follows a near-disruption of a Polish city’s water supply caused by a cyberattack in 2025, underscoring the persistent vulnerabilities in water sector infrastructure. The findings highlight the urgent need for strengthened ICS/SCADA security measures to protect essential service continuity from nation-state cyber threats.
Source: CISO Series / The Record
DAEMON Tools Supply Chain Attack Targets Manufacturing and Government Sectors
Kaspersky researchers have uncovered a sophisticated supply chain attack involving the official DAEMON Tools software website, where trojanized installers distributed since April 8, 2026, delivered malicious payloads and backdoor implants. This operation affected thousands of systems globally but selectively implanted second-stage backdoors in high-value targets within manufacturing, government, scientific, and retail sectors across Russia, Belarus, and Thailand. Indicators point to Chinese-speaking threat actors behind the campaign. The malicious installers bore legitimate digital signatures from AVB Disc Soft, allowing them to evade detection. In response, the vendor has released a clean software version (12.6.0.2445). This attack marks the fourth major supply chain compromise in 2026, signaling a troubling escalation in targeted espionage against critical industrial and governmental infrastructure.
Source: Industrial Cyber / Kaspersky Securelist
Oil and Gas Sector’s OT Security Confidence Gap Exposed After Operation Epic Fury
A recent survey by OT security vendor Tosi reveals a significant confidence gap among U.S. oil and gas operators regarding OT breach detection capabilities. Despite 87% of respondents claiming they could identify OT intrusions within 24 hours, only 16% employ continuous OT-native monitoring—the industry best practice for detecting anomalies in industrial environments. More than half rely on traditional IT security tools, which lack visibility into specialized industrial protocols and physical process anomalies. This disconnect was spotlighted following Operation Epic Fury, which began on February 28, 2026, and prompted increased investment in OT cybersecurity. However, experts caution that without bridging the IT/OT organizational divide and addressing legacy ICS device vulnerabilities, heightened budgets alone will not close this critical security gap.
Source: SecureWorld
Ivanti EPMM Zero-Day (CVE-2026-6973) Exploited in Targeted Attacks; 850+ Exposed Instances Online
Ivanti has issued an urgent patch advisory for a critical zero-day vulnerability (CVE-2026-6973) in its Endpoint Manager Mobile (EPMM) platform, which is actively exploited in targeted attacks. The vulnerability, due to improper input validation, permits remote code execution by attackers with administrative privileges on affected versions up to 12.8.0.0. Shadowserver currently monitors over 850 exposed Ivanti EPMM instances worldwide, with concentrations in Europe and North America, representing a significant attack surface, especially for OT and critical infrastructure environments that rely on mobile device management for field operations. Ivanti strongly recommends immediate application of May 2026 security updates, credential rotation, and review of admin accounts to mitigate this high-risk threat.
Source: CISO Series / BleepingComputer
Collectively, these developments illustrate a rapidly evolving threat environment where advanced AI-assisted attacks, supply chain compromises, and exploitable zero-day vulnerabilities converge to challenge the resilience of OT and ICS environments. The expanding attack surface across critical infrastructure sectors demands a strategic, layered defense approach that integrates OT-native detection, rigorous access controls, and cross-domain collaboration between IT and OT security teams to safeguard industrial operations against increasingly sophisticated adversaries.
