News Summary week 03, 2026

Week 03 features critical AVEVA Process Optimization RCE vulnerabilities, Siemens Industrial Edge authentication bypass, Rockwell GuardLink DoS flaws, and Pwn2Own Automotive 2026 discoveries in Tokyo.
threat-intelligence
ICS
CPS
automotive
medical-devices
Published

January 20, 2026

Executive Summary

Week 03 of 2026 saw a significant CISA ICS Patch Tuesday release addressing critical vulnerabilities in AVEVA Process Optimization (RCE, SQL injection), Siemens Industrial Edge devices (authentication bypass allowing user impersonation), and Rockwell GuardLink EtherNet/IP interfaces (DoS). Pwn2Own Automotive 2026 in Tokyo (January 21-23) is expected to reveal new zero-day vulnerabilities in automotive systems. The week also saw continued activity from pro-Russia hacktivist groups targeting critical infrastructure via unsecured VNC connections.

This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.

Week of January 9 - January 16, 2026

Critical Alerts & Advisories

CISA ICS Patch Tuesday - January 15, 2026

CISA released multiple ICS advisories on January 14-15, 2026, addressing critical vulnerabilities across major industrial vendors:

AVEVA Process Optimization (ICSA-26-015-01)

Critical Severity - Multiple vulnerabilities enabling remote code execution, SQL injection, and privilege escalation:

CVE Vulnerability Impact
CVE-2025-61937 Remote Code Execution System compromise
CVE-2025-64691 SQL Injection Data manipulation
CVE-2025-61943 Privilege Escalation Elevated access
CVE-2025-65118 Information Disclosure Sensitive data exposure
CVE-2025-64729 Unspecified Multiple impacts
CVE-2025-65117 Unspecified Multiple impacts
CVE-2025-64769 Unspecified Multiple impacts

Sector Affected: Critical Manufacturing (worldwide deployment)

Siemens Industrial Edge Devices - Critical Authentication Bypass

Siemens released two advisories describing a critical authorization bypass flaw in Industrial Edge Devices:

  • Impact: Unauthenticated remote attacker can bypass authentication and impersonate users
  • Products Affected: Industrial Edge Devices and Industrial Edge Device Kit
  • Additional Advisories: High-severity fixes for Ruggedcom, ET 200SP, and TeleControl Server Basic products

Schneider Electric Vulnerabilities

Four new advisories including:

  • EcoStruxure Process Products: High-severity privilege escalation vulnerability
  • Third-party Component Issues: Vulnerabilities in Zigbee and Redis components used in Schneider products

Rockwell Automation Advisories (January 13, 2026)

ICSA-26-013-01 - GuardLink EtherNet/IP Interface (432ES-IG3 Series A)

  • CVE-2025-9368: Denial-of-service vulnerability requiring manual power cycle to recover
  • Affected Version: V1.001
  • Fix: Update to V2.001.9 or later

ICSA-26-013-02 - FactoryTalk DataMosaix Private Cloud

  • CVE-2025-12807: Unauthorized database operations through exposed API endpoints
  • Impact: Low-privilege users can perform sensitive database operations
  • Affected Versions: 7.11, 8.00, 8.01

Phoenix Contact FL SWITCH 2xxx Series

Multiple vulnerabilities disclosed including XSS, DoS, authentication, and information exposure issues. Advisory also picked up by Germany’s VDE CERT.

Hitachi Energy Asset Suite (ICSA-26-008-01)

CISA republished Hitachi Energy PSIRT advisory 8DBD000231 regarding Asset Suite vulnerabilities.

CISA New AI Security Guidance for Critical Infrastructure

January 15, 2026 - CISA and international partners issued new guidance on securing AI in operational technology:

Key Concerns:

  • Risks AI poses to OT environments managing power grids, water treatment, and industrial processes
  • Data breach risks across OT environments from AI implementations

Partner Agencies:

  • Australian Signals Directorate (ACSC)
  • NSA AI Security Center
  • FBI
  • Canadian Centre for Cyber Security
  • German BSI
  • Netherlands NCSC
  • New Zealand NCSC
  • UK NCSC

Known Exploited Vulnerabilities Update

January 7, 2026 - CISA added two vulnerabilities to the KEV Catalog:

CVE Product Details
CVE-2009-0556 Microsoft Office PowerPoint Code injection enabling RCE
CVE-2025-37164 HPE OneView Remote code execution by unauthenticated users

Active Campaign: Check Point identified large-scale exploitation of CVE-2025-37164 delivering the RondoDox botnet with over 40,000 attack attempts in a 4-hour window. Primary targets: government organizations, financial services, and industrial manufacturing.

Automotive CPS Security

Pwn2Own Automotive 2026 Begins January 21

Pwn2Own Automotive 2026 takes place January 21-23, 2026 in Tokyo, Japan:

  • Prize Pool: Over $1 million
  • Sponsors: Alpitronic joins Tesla as title sponsor
  • Previous Results: Pwn2Own Automotive 2025 uncovered 49 zero-day vulnerabilities
  • Focus: Connected car vulnerabilities, software-defined vehicles (SDVs)

New Category for 2026: Open Charge Alliance - targeting OCPP (Open Charge Point Protocol) which standardizes communication between charge points and central systems. Previous findings showed exploit chains can extend both to and from charging devices, making them potential gateways for compromising vehicles.

US Commerce Rule on Connected Vehicles

In January 2026, the Department of Commerce issued a final rule banning the sale of connected vehicles and related software/hardware from Russia and China, one of the final major cyber-related actions of the Biden administration.

Automotive Cybersecurity Threat Landscape

According to industry analysis:

  • Throughout 2025, attacks on vehicles and surrounding systems increased with no indication of slowing in 2026
  • Attackers using AI to map targets at faster speeds, create convincing phishing attempts, and identify vulnerabilities with less manual effort
  • Supply-chain cybersecurity becoming crucial for production continuity and brand trust

Attack Vectors:

  • Cellular modems and telematics units for initial vehicle network access
  • Lateral movement through internal networks to safety-critical systems
  • Industry Cost Impact: $22.5 billion in 2025 ($20B data leakage, $1.9B downtime, $538M ransomware)

Medical Device CPS Security

FDA Regulatory Developments

The FDA’s final cybersecurity guidance (June 2025) is now in force with expectations intensifying in 2026:

  • Quality System Regulation (QMSR) takes effect February 2, 2026
  • Inspections after February 2 will follow the revised Part 820 framework
  • FDA shifting from pre-market paperwork to auditing real-world effectiveness of post-market security processes

Section 524B Requirements:

  • Security controls built into design
  • Vulnerability management
  • Software Bill of Materials (SBOM)

HHS OCR January 2026 Cybersecurity Newsletter

The January 2026 OCR Newsletter advises healthcare entities to:

  • Consult manufacturer labeling for device security information
  • Reference FDA Guidance Section VI.A (Labeling Recommendations for Devices with Cybersecurity Risks)
  • Maintain ongoing security posture for connected medical devices

Water & Wastewater Sector

Ongoing Hacktivist Threat

The threat from pro-Russia hacktivists continues following the December 2025 joint advisory (AA25-343A):

TwoNet Hacktivist Group Activity: Forescout research revealed hacktivists targeted a honeypot mimicking a water treatment plant in September 2025. The attack was claimed by TwoNet, a Russian-aligned group that:

  • Gained access to plant’s human-machine interface (HMI)
  • Defaced systems and disrupted processes
  • Manipulated operations and attempted evasion tactics

Water Sector Vulnerability Statistics

Per the December 2025 CISA advisory:

  • Pro-Russia hacktivist groups continue targeting Water and Wastewater Systems
  • Attack methods: Internet-exposed VNC, default credentials, SCADA manipulation
  • Groups have caused physical damage including pipe bursts and tank overflows
  • Internet-exposed PLCs with default passwords remain “exceedingly trivial to discover”

EPA Findings: Over 70% of water systems inspected since September 2023 violate basic cybersecurity requirements.

Energy & Power Grid

Poland Cyberattack on Energy Grid

Major News This Week: Polish government revealed the country experienced a major attempt to disrupt its power grid in late December 2025:

  • Description: “Most powerful attack on the Polish power system in years”
  • Target: Two combined heat and power plants
  • Potential Impact: Could have cut heat for nearly 500,000 people
  • Attribution: Digital Affairs Minister stated “everything points to Russian sabotage”
  • Outcome: Attack was successfully repelled

The attack sought to disrupt communication between renewable energy installations and power distribution operators.

US Utility Engineering Data Breach

In early January 2026, hackers claimed breach of Pickett and Associates (Florida engineering firm):

Compromised Data:

  • Over 800 sensitive engineering files
  • LiDAR point cloud files
  • Transmission line corridor data
  • High-resolution orthophotos
  • MicroStation design files

Affected Utilities:

  • Tampa Electric Company
  • Duke Energy Florida
  • American Electric Power

Price: 6.5 bitcoin (~$600,000)

Attackers also selling data from Germany’s Enerparc AG, signaling focus on critical infrastructure.

Battery Energy Storage System (BESS) Risks

A white paper from Brattle Group and Dragos warns:

  • Utility-scale BESS face heightened attack risks from nation-state and criminal groups
  • Immediate action needed to secure critical industries
  • Dragos tracking approximately 18 groups known to threaten the electrical grid

NERC Warning: Susceptible points on the electrical grid grow by approximately 60 per day.

Manufacturing & Industrial

Manufacturing Remains Top Ransomware Target

Global ransomware attacks rose 32% in 2025, with manufacturers emerging as the top target.

2025 ICS Vulnerability Trends (Cyble Annual Threat Landscape Report):

  • 2,451 ICS vulnerability disclosures across 152 vendors (nearly double 2024)
  • Siemens: 1,175 vulnerabilities (most affected vendor)
  • Schneider Electric: 163 vulnerabilities (higher severity ratio - 70% high/critical vs 40% for Siemens)
  • Critical manufacturing (45.8%) and energy systems (21.3%) most affected

Notable Manufacturing Incidents

Jaguar Land Rover Recovery: Full recovery now expected in January 2026 following the August 2025 ransomware attack:

  • Cost: £1.9 billion (most economically damaging UK cyber incident in history)
  • Production halted for five weeks
  • Over 5,000 businesses across global supply chain affected

Sugawara Laboratories (Japan): Targeted by Qilin ransomware group on January 2, 2026. Industrial measuring equipment manufacturer including strobe devices, torque dynamometers, and bearing inspection systems.

Volvo Group Third-Party Breach: Ransomware attack on HR software provider Miljödata resulted in theft of sensitive personal data. Approximately 870,000 records leaked across vendor’s client base.

Threat Intelligence Highlights

China Attribution: Volt Typhoon Confirmation

In a significant development, China admitted to Volt Typhoon cyberattacks during a secret December 2025 Geneva summit meeting with American officials:

  • Chinese officials confirmed cyberattacks against US infrastructure
  • Interpreted as response to US support for Taiwan
  • Meant to deter US involvement in potential China-Taiwan conflict

Volt Typhoon Profile:

  • Active since mid-2021
  • Pre-positioning within US critical infrastructure IT networks
  • Uses living-off-the-land (LOTL) techniques
  • Maintains access for up to 5+ years undetected
  • Critical risk tier: Communications, energy, water/wastewater, transportation

UAT-8837 (China-Nexus APT)

Cisco Talos tracking UAT-8837, a suspected China-nexus APT:

  • Actively targeting critical infrastructure in North America since 2025
  • Gains access via vulnerability exploitation or stolen credentials
  • Uses open-source tools for data theft
  • Creates multiple persistence mechanisms
  • Constantly adapts tools to evade detection

VoltRuptor ICS/SCADA Malware

Sophisticated malware developed by Infrastructure Destruction Squad:

  • Multi-protocol support for industrial systems
  • Persistence and anti-forensics capabilities
  • Analysts believe aligned with state-sponsored campaigns
  • Targeting countries not pro-Russia or China

2026 Threat Predictions

Critical Infrastructure Outlook:

  • By 2026, more than 1/3 of global energy and utilities infrastructure will have experienced cyber pre-positioning activity
  • Ransomware-as-a-Service (RaaS) expanding into OT environments
  • More OT-focused malware linked to geopolitical conflict
  • AI-enhanced attack capabilities accelerating reconnaissance and exploitation

OT Security Concerns:

  • Gateways between IT and OT notoriously insecure
  • OT systems often left unpatched with known vulnerabilities
  • Network-connected plant machinery reaching critical mass as attractive target
  • Legacy ICS built for reliability, not security - hard to patch, poorly segmented, difficult to monitor

Defensive Recommendations

Immediate Actions

For ICS/OT Operators:

  1. Apply ICS Patch Tuesday updates from Siemens, Schneider Electric, Rockwell, Phoenix Contact, and AVEVA
  2. Prioritize Siemens Industrial Edge Device authentication bypass fix
  3. Review and secure all internet-exposed VNC connections
  4. Audit default credentials on PLCs and SCADA systems
  5. Implement network segmentation between IT and OT

For Energy Sector:

  1. Review grid BESS security per Dragos/Brattle recommendations
  2. Assess data exposure risk if engineering vendors were compromised
  3. Monitor for Volt Typhoon LOTL indicators
  4. Ensure communication systems between renewable installations and grid operators are secured

For Healthcare Organizations:

  1. Prepare for FDA QMSR enforcement (February 2, 2026)
  2. Review medical device labeling for cybersecurity information
  3. Implement network segmentation for connected medical devices
  4. Maintain SBOM documentation for cyber devices

For Automotive Sector:

  1. Monitor Pwn2Own Automotive 2026 findings (January 21-23)
  2. Assess EV charging infrastructure OCPP security
  3. Review telematics and cellular modem configurations
  4. Evaluate supply chain vendor security posture

Medium-Term Actions

  1. Develop systematic legacy/EOL device replacement plans
  2. Implement behavioral analytics for CPS environments
  3. Establish ICS-specific incident response procedures
  4. Map data flows and access points for all OT assets
  5. Conduct vendor security assessments with focus on engineering data protection

Strategic Priorities

  1. Reduce Internet Exposure: Single most important action per CISA
  2. Prepare for AI-Enhanced Threats: Adversaries using AI for reconnaissance at unprecedented speeds
  3. Monitor Geopolitical Tensions: State-sponsored actors pre-positioning in critical infrastructure
  4. Supply Chain Security: Engineering specifications and OT vendor data increasingly targeted

Sources Referenced

RSS-Curated Sources:

Web Search Sources:

Note: Week 03 summary is complete. This week featured significant ICS Patch Tuesday releases from major vendors, a major Russia-attributed cyberattack on Poland’s energy grid, continued evolution of state-sponsored threats (including China’s admission to Volt Typhoon operations), and intensifying regulatory pressure on medical device cybersecurity ahead of the February 2 FDA deadline. The convergence of geopolitical tensions with critical infrastructure targeting continues to define the 2026 threat landscape.