Today’s briefing underscores the escalating complexity and urgency in securing operational technology (OT), industrial control systems (ICS), and Internet of Things (IoT) environments. From state-sponsored sabotage and legacy protocol vulnerabilities to AI-driven cyber threats and evolving regulatory mandates, the landscape demands heightened vigilance and adaptive defense strategies to protect critical infrastructure worldwide.
Russian Hackers Breach Polish Water Treatment Plants, Raising NATO Infrastructure Alarm
Poland’s Internal Security Agency (ABW) confirmed that Russian-linked threat actors, including APT28 and APT29 alongside Belarusian group UNC1151, breached five Polish water treatment plants in 2025, gaining access to industrial control systems (ICS) that manage water supply parameters. The attackers were able to alter device settings, risking supply disruption or contamination in towns including Jabłonna Lacka and Szczytno. The tactics closely mirror prior hybrid-warfare sabotage operations in Ukraine and the 2021 Oldsmar, Florida water plant incident. The intrusions also targeted Polish power grids and military sites, underscoring the breadth of the campaign against NATO critical infrastructure.
Source: Cyber Recaps / TechCrunch
SDR Spoofing Attack Halts Taiwan High-Speed Rail, Exposing Legacy OT Radio Vulnerabilities
A 23-year-old university student allegedly used commercially available software-defined radio (SDR) equipment to spoof TETRA-based operational communications on Taiwan High Speed Rail Corp (THSRC), triggering emergency braking across multiple trains on April 5, 2026, and halting services for 48 minutes. The attacker replicated static TETRA signalling parameters — some unchanged for 19 years — to inject a falsified General Alarm command. Security experts warn that the incident exposes a systemic failure across legacy rail communications worldwide: TETRA was designed in the 1990s under the assumption that physical possession of authorised radio equipment was the security boundary, an assumption that collapsed once sub-$50 SDR hardware became widely available. Similar vulnerabilities have been identified in rail systems in Poland and the United States.
CISA Launches ‘CI Fortify’ Initiative to Harden OT Networks Against Geopolitical Conflict
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) unveiled its CI Fortify initiative, directing critical infrastructure operators to prepare their OT networks for isolation and recovery in the event of a geopolitical conflict. The program instructs operators to assume that third-party connections — including telecommunications, internet, vendors, and service providers — will be unreliable during a conflict scenario, and that threat actors may already have some access to OT networks. Acting CISA Director Nick Andersen cited AI-accelerated cyberattacks as a primary driver of the initiative. Separately, incident response firm Dragos confirmed that a hacker used an AI model to compromise a municipal water and drainage utility in Monterrey, Mexico, marking a notable escalation in AI-assisted attacks against operational technology environments.
Source: Security Boulevard / GovTech
AI Emerges as Both Defender and Adversary in OT Cybersecurity
A new analysis by OT cybersecurity expert Mark Lynd highlights how artificial intelligence is now operating on both sides of the industrial control system security equation. On the defensive side, ML-based anomaly detection inside ICS networks has matured from research to baseline expectation, while AI-augmented asset discovery tools can now produce OT inventory at fidelity previously infeasible. On the offensive side, adversaries are using AI to accelerate reconnaissance of plant footprints via public imagery and regulatory filings, to generate credible exploit-path hypotheses from vendor advisories, and to conduct voice-clone phishing attacks against named OT operators. Governance gaps — including the absence of AI supply-chain discipline and outdated threat models that do not account for AI-augmented actors — represent the most pressing near-term risk for operators.
EU Cyber Resilience Act Imposes IoT Vulnerability Reporting Obligations Starting September 2026
The European Union’s Cyber Resilience Act (CRA) will require manufacturers of software and connected hardware products — including IoT devices — to report actively exploited vulnerabilities and severe security incidents through ENISA’s new Single Reporting Platform beginning September 11, 2026. Under CRA Article 14, manufacturers must issue an early warning within 24 hours of discovering an actively exploited vulnerability, followed by a fuller notification within 72 hours and a final report within 14 days of a corrective measure becoming available. The broader compliance regime — covering secure-by-design obligations, conformity assessments, and CE-marking — takes effect December 11, 2027. The regulation applies horizontally to all products with digital elements placed on the EU market, making it one of the most consequential IoT security regulations globally.
As cyber threats against OT, ICS, and IoT environments continue to evolve in sophistication and scale, it is imperative for security practitioners to maintain a proactive posture. Continuous monitoring, adoption of emerging defensive technologies, and adherence to evolving regulatory frameworks are essential to safeguarding critical infrastructure against increasingly complex adversaries.
