News Summary week 05, 2026

Week 05 saw ESET and Dragos attribute the DynoWiper attack on Poland’s power grid to Russia’s Sandworm group, CISA issued seven ICS advisories affecting Rockwell, Johnson Controls, and Schneider Electric, and NERC released a landmark CIP Roadmap highlighting growing risks to low-impact grid assets.
threat-intelligence
ICS
CPS
automotive
medical-devices
Published

January 31, 2026

Executive Summary

The most significant CPS/ICS development this week was the detailed attribution by ESET and Dragos of the late-December 2025 cyberattack on Poland’s distributed energy resources to Russia’s Sandworm (Electrum) group, which deployed a novel wiper malware called DynoWiper. CISA released seven ICS advisories across two batches, covering vulnerabilities in Rockwell Automation ControlLogix and ArmorStart, Johnson Controls Metasys, Schneider Electric Zigbee products, KiloView encoders, Festo Didactic MES PCs, and iba Systems ibaPDA. NERC published its landmark CIP Roadmap warning that the majority of OT deployed across the Bulk Power System now falls into low-impact categories with insufficient security controls, and that coordinated attacks on these assets could have system-level effects.

This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.

Week of January 23 - January 30, 2026

Critical Alerts & Advisories

CISA ICS Advisories - January 27, 2026

CISA released four ICS advisories on January 27:

  • ICSA-26-027-01 – iba Systems ibaPDA: A vulnerability in ibaPDA version 8.12.0, used worldwide in critical manufacturing, could allow an attacker to perform unauthorized actions on the file system. Users should update to ibaPDA v8.12.1 or later.

  • ICSA-26-027-02 – Festo Didactic SE MES PC: MES PCs shipped with Windows 10 include a pre-installed copy of XAMPP containing approximately 140 third-party vulnerabilities spanning argument injection (CWE-88), information exposure (CWE-200), and cross-site scripting (CWE-79). Festo recommends replacing XAMPP with their Factory Control Panel application.

  • ICSA-26-027-03 – Schneider Electric Zigbee Products: Multiple vulnerabilities in Silicon Labs EmberZNet affect Schneider Electric Zigbee-based products used in building automation and energy management.

  • ICSA-26-027-04 – Johnson Controls Metasys Products (CVE-2025-26385): A command injection vulnerability (CWE-77) in Metasys ADS, ADX, LCS8500, NAE8500, SCT, and CCT could result in remote SQL execution, leading to data alteration or loss. Affects commercial facilities, critical manufacturing, energy, and government sectors. Closing incoming TCP port 1433 mitigates the risk.

CISA ICS Advisories - January 29, 2026

CISA released three additional ICS advisories on January 29:

  • ICSA-26-029-01 – KiloView Encoder Series (CVE-2026-1453): A critical vulnerability in KiloView encoder models (E1, E1-s, E2, G1, P1, P2, RE1) could allow an unauthenticated attacker to create or delete administrator accounts, granting full administrative control. Affects communications and information technology sectors.

  • ICSA-26-029-02 – Rockwell Automation ArmorStart LT: Vulnerabilities could allow an attacker to cause a denial-of-service condition in ArmorStart LT motor controllers used in manufacturing environments.

  • ICSA-26-029-03 – Rockwell Automation ControlLogix (CWE-401): A memory leak vulnerability (missing release of memory after effective lifetime) could allow an attacker to cause a denial-of-service condition. Rockwell Automation reported this vulnerability to CISA.

NERC CIP Roadmap Release

On January 13, NERC released its 38-page Critical Infrastructure Protection (CIP) Roadmap, one of the most consequential cybersecurity policy documents for the North American electric sector since the CIP Version 5 transition. Key findings:

  • The majority of OT deployed across the Bulk Power System now falls into low-impact or sub-BES categories, with defense-in-depth protections covering a smaller share of grid assets than a decade ago.
  • Coordinated attacks on multiple low-impact assets could aggregate to significant system-level effects.
  • Multi-factor authentication (MFA) is identified as the single most powerful control for reducing cyber risk across nearly every attack path.
  • NERC is initiating standards efforts to require MFA for interactive remote access to low-impact BES Cyber Systems.
  • Expanded scope needed for distributed and remote assets including inverter-based resources, DER aggregators, EV charging infrastructure, and cloud-hosted control platforms.

Automotive CPS Security

No major new automotive CPS vulnerabilities were disclosed this week. The automotive security community continues to process findings from Pwn2Own Automotive 2026 (January 21-23), with vendors in their 90-day disclosure windows for the 76 zero-days discovered during the competition.

Key industry developments:

  • Connected car security market projected to grow from $3.37 billion (2025) to $6.99 billion by 2032 (11% CAGR), driven by the transition to EVs and integration of connected ADAS features.
  • UN R155 and ISO/SAE 21434 compliance continues to drive OEMs to implement in-vehicle security solutions including secure gateways and hardware security modules (HSMs).
  • Industry experts emphasize the expanding attack surface beyond vehicles into charging infrastructure and the broader connected mobility ecosystem, as demonstrated by the EV charger exploits at Pwn2Own.

Medical Device CPS Security

FDA Cybersecurity Enforcement Intensifying

The FDA’s scrutiny around medical device cybersecurity is intensifying in 2026, shifting focus from pre-market paperwork to active operational execution. Companies must now prove vulnerability management works in the field, not only pre-launch.

Key regulatory milestones:

  • QMSR takes effect February 2, 2026: The Quality Management System Regulation replaces Part 820, and inspections after that date follow the revised framework.
  • Section 524B of the FD&C Act requires manufacturers to build security controls into design, manage vulnerabilities, and maintain a software bill of materials (SBOM).
  • The FDA can refuse to accept or deny approval for applications based solely on cybersecurity deficiencies.

Healthcare Breach Landscape

  • Manage My Health (New Zealand): A cyberattack identified December 30, 2025 compromised 400,000 medical documents of 120,000 patients including hospital discharge summaries, referrals, and specialist documents. The group “Kazu” claimed responsibility and demanded ransom.
  • HealthBridge Chiropractic: Targeted by Qilin ransomware on January 6, 2026. Extent of compromised data under investigation.
  • Auforum AG (Switzerland): Healthcare and rehabilitation supplies provider hit by Qilin ransomware.

HHS OCR January 2026 Newsletter

The January 2026 OCR cybersecurity newsletter emphasizes hardening medical devices through patching known vulnerabilities, removing or disabling unneeded software and services, and enabling security measures. An estimated 53% of connected medical devices in hospitals have known critical vulnerabilities.

Water & Wastewater Sector

No new water sector attacks were reported this week. However, the cybersecurity policy landscape saw a significant development:

  • CISA Act and State/Local Cybersecurity Grant Program extensions expired on January 30, 2026. These programs had been temporarily reinstated in November 2025, restoring liability protections, real-time cyber threat information sharing, and federal cybersecurity funding access for water utilities. Their expiration creates uncertainty for water sector cybersecurity funding.
  • The water sector remains one of the least mature in terms of cybersecurity according to industry assessments, with SCADA systems controlling chemical dosing and water pressure at particular risk.

Energy & Power Grid

DynoWiper Attack on Poland – Full Attribution Published

The week’s most significant CPS story was the publication of detailed technical analysis attributing the late-December 2025 attack on Poland’s energy grid:

ESET Research (published January 26) attributed with medium confidence the deployment of a new destructive wiper malware called DynoWiper to Russia’s Sandworm group (GRU Unit 74455). Key technical details:

  • DynoWiper overwrites files on all removable and fixed drives using a 16-byte random data buffer, then forces a system reboot.
  • Three distinct DynoWiper samples were deployed; all were blocked by ESET PROTECT EDR/XDR.
  • The wiper shares similarities with the ZOV wiper, also attributed to Sandworm with high confidence.
  • Unlike Industroyer and Industroyer2, DynoWiper targets only IT environments with no observed OT-specific functionality.
  • ESET believes the attack was timed to mark the 10-year anniversary of Sandworm’s 2015 attack on Ukraine’s energy sector.

Dragos (published January 29) provided additional operational details:

  • Attributed the attacks to the group it tracks as Electrum (widely known as Sandworm).
  • Described the attacks as a world-first for targeting distributed energy resources (DERs) – smaller generation sites connected to a country’s central power grid.
  • Attackers took over remote terminal units (RTUs) and communication infrastructure at approximately 30 facilities.
  • Access was achieved through targeting internet-exposed devices and those vulnerable to exploits or misconfigurations.
  • In some cases, equipment was damaged beyond repair.
  • The attack targeted two combined heat and power (CHP) plants and a system managing electricity from wind turbines and photovoltaic farms.

If successful, the attack could have cut off power and heat to nearly 500,000 people during winter.

Russia Escalating Hybrid Warfare Against German Infrastructure

A leaked German Defense Ministry document revealed that Russia is escalating covert hybrid warfare against Germany’s critical infrastructure through sabotage, cyberattacks, espionage, and influence operations targeting energy and defense sectors. Germany, as NATO’s key European logistics hub, identifies Russia as the greatest immediate security threat, with preparations for potential large-scale conflict by 2029.

Manufacturing & Industrial

ICS Vulnerability Landscape

The Cyble Annual Threat Landscape Report 2025, published January 15, revealed that ICS vulnerability disclosures nearly doubled:

  • 2,451 ICS vulnerabilities disclosed across 152 vendors in 2025 (up from 1,690 across 103 vendors in 2024).
  • August 2025 saw a spike of 802 ICS vulnerabilities disclosed in a single month.
  • Manufacturing and healthcare were the sectors most targeted by ransomware.
  • Hacktivist groups heavily targeted energy, utilities, and transportation organizations.

OT Security Preparedness Gap

Only 14% of organizations report feeling fully prepared for emerging OT threats, highlighting a persistent capability and cultural divide between IT and OT teams. The OMICRON study revealed widespread cybersecurity gaps in OT networks of substations, power plants, and control centers worldwide.

Threat Intelligence Highlights

Sandworm/Electrum – Priority Threat to Energy Sector

The DynoWiper campaign against Poland represents an evolution in Sandworm’s targeting of energy infrastructure, moving from centralized power generation to distributed energy resources. This shift reflects the changing nature of modern power grids and suggests future attacks may target:

  • Residential solar inverters and DER aggregators
  • EV charging infrastructure
  • Cloud-hosted control platforms
  • Vendor-operated remote access systems

China-Nexus Threats to Critical Infrastructure

  • Volt Typhoon continues to maintain pre-positioned access within U.S. critical infrastructure IT environments, with documented persistence of at least five years in some victim networks. Despite botnet disruption in December 2023, the KV Botnet has been revived.
  • Salt Typhoon continues to exploit known vulnerabilities in firewalls, VPNs, and routers from vendors like Cisco and Ivanti, specializing in credential theft and lateral movement through telecommunications infrastructure.

Qilin Ransomware – Healthcare Focus

Qilin remains one of the most active ransomware groups targeting healthcare and manufacturing, with multiple claims in January 2026 including HealthBridge Chiropractic and Auforum AG. The group primarily targets manufacturing, professional services, healthcare, and real estate sectors.

Defensive Recommendations

Immediate Actions

  1. Review and apply CISA ICS advisories: Patch Rockwell Automation ControlLogix, ArmorStart LT, Johnson Controls Metasys, and iba Systems ibaPDA to latest versions.
  2. Audit Zigbee-based building automation: Review Schneider Electric Zigbee product deployments for EmberZNet vulnerabilities.
  3. Secure distributed energy resources: Following the DynoWiper attack, audit internet-exposed RTUs, ensure proper network segmentation for DER sites, and deploy EDR on IT systems adjacent to OT networks.
  4. Close TCP port 1433 on Johnson Controls Metasys deployments to mitigate command injection risk.

Strategic Recommendations

  1. Implement MFA for all remote OT access: Aligned with NERC CIP Roadmap’s top recommendation. Prioritize interactive remote access to both high-impact and low-impact BES Cyber Systems.
  2. Inventory and secure low-impact assets: Per NERC CIP Roadmap findings, assess whether coordinated compromise of low-impact assets could produce system-level effects in your environment.
  3. Medical device SBOM compliance: With QMSR effective February 2, ensure device inventory includes software bills of materials and active vulnerability tracking.
  4. Hunt for Volt Typhoon IOCs: Apply CISA’s recommended mitigations – patching, MFA, enhanced logging, and end-of-life system management – particularly on SOHO network equipment.
  5. Deploy EDR/XDR on energy sector IT systems: The Poland DynoWiper attack was blocked by endpoint detection – ensure similar coverage at all DER and CHP facilities.

Sources Referenced

RSS-Sourced Intelligence

Vendor & Research Sources

Government & Regulatory Sources

Web Search Discoveries