Executive Summary
The most consequential CPS/ICS development this week was CISA’s Binding Operational Directive 26-02, ordering federal agencies to inventory and replace unsupported network edge devices within strict timelines—directly responding to the pattern of advanced threat actors exploiting end-of-life routers, firewalls, and IoT gateways in critical infrastructure. February’s ICS Patch Tuesday saw coordinated advisories from Siemens (8 advisories including SINEC NMS DLL hijacking and Desigo CC/SENTRON Powermanager code execution), Schneider Electric (EcoStruxure Process privilege escalation), AVEVA (PI Data Archive denial-of-service and PI-to-CONNECT Agent data exposure), and Phoenix Contact (TC Router command injection). The UK’s NCSC issued an urgent warning to critical national infrastructure operators to prepare for “severe” cyber-attacks, citing the December 2025 Poland energy grid attack as a template for future campaigns. CISA also released a medical device advisory for the ZOLL ePCR application (ICSMA-26-041-01), and the FDA’s updated cybersecurity guidance aligning with the new QMSR officially took effect.
This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.
Week of February 6 - February 13, 2026
Critical Alerts & Advisories
CISA Binding Operational Directive 26-02: Edge Device Security
On February 5, CISA published BOD 26-02, “Mitigating Risk From End-of-Support Edge Devices,” mandating that federal agencies:
- Immediately update edge devices to vendor-supported software and firmware
- Within 90 days, inventory all devices appearing on CISA’s end-of-service list
- Within one year, decommission any devices with end-of-service dates falling within the next 12 months
Edge devices covered include firewalls, routers, switches, load balancers, wireless access points, VPN gateways, and IoT edge devices. CISA cited “widespread exploitation campaigns by advanced threat actors” targeting end-of-life devices at network perimeters as the driving motivation. While the directive applies to Federal Civilian Executive Branch agencies, CISA strongly encouraged all critical infrastructure operators to adopt similar practices.
CPS relevance: Many OT environments rely on aging routers, firewalls, and network appliances that sit at IT/OT boundaries. This directive signals increasing regulatory pressure to address the “forgotten” edge devices that often serve as initial access vectors into industrial networks.
ICS Patch Tuesday - February 11, 2026
The February ICS Patch Tuesday saw coordinated vulnerability disclosures from four major ICS vendors:
Siemens (8 advisories)
SINEC NMS DLL Hijacking (ICSA-26-043-01): CVE-2026-25655 and CVE-2026-25656 allow low-privileged users to load malicious DLLs via configuration file modification in SINEC NMS (versions prior to V4.0 SP2), leading to arbitrary code execution with SYSTEM privileges. Remediation: Update User Management Component (UMC) to V2.15.2.1 or later.
Desigo CC & SENTRON Powermanager (ICSA-26-043-04): A heap-based buffer overflow in the bundled WIBU Systems CodeMeter Runtime (via libcurl SOCKS5 proxy handshake) affects Desigo CC V6–V8 and SENTRON Powermanager. Successful exploitation enables code execution in the process context. Remediation: Update CodeMeter Runtime component per Siemens instructions.
Siveillance Video Management Servers (ICSA-26-043-07): A flaw in the Webhooks implementation allows authenticated remote attackers with read-only privileges to obtain full Webhooks API access. Affects Siveillance Video V2023 R1 through V2025. Hotfix updates released for all affected versions.
Additional advisories covering vulnerabilities in Simcenter Femap/Nastran, NX, Solid Edge, and Polarion—exploitable for DoS, code execution, and privilege escalation.
Schneider Electric (4 advisories)
EcoStruxure Process Privilege Escalation (SEVD-2026-013-02): Incorrect default permissions (CWE-276) in EcoStruxure Process and EcoStruxure Process Expert for AVEVA System Platform allow local privilege escalation via reverse shell when service binaries are modified. No patch yet available—Schneider recommends application whitelisting and restricting system access.
Three advisories addressing vulnerabilities in third-party components (Zigbee and Redis) used by Schneider products.
AVEVA (2 advisories)
PI Data Archive Denial-of-Service (ICSA-26-041-03): An uncaught exception allows unauthenticated remote attackers to crash core PI services. Affects PI Server versions through 2024. No public exploitation reported.
PI-to-CONNECT Agent (ICSA-26-041-04): CVE-2026-1495 involves insertion of sensitive information into log files, potentially exposing credentials. Affects AVEVA PI-to-CONNECT Agent.
Phoenix Contact (1 advisory)
- TC Router & TC Cloud Client Command Injection (VDE-2025-073): CVE-2025-41717 allows an unauthenticated remote attacker to trick a privileged user into uploading a malicious payload via the config-upload endpoint, achieving code injection as root. Affects TC ROUTER 3002T-3G, 2002T-3G, 3002T-4G, 5004T-5G EU, and CLOUD CLIENT models. Impact: Total loss of confidentiality, availability, and integrity.
Microsoft February 2026 Patch Tuesday
Microsoft patched 58 vulnerabilities including six actively exploited zero-days, all added to CISA’s Known Exploited Vulnerabilities catalog with a March 3 remediation deadline:
- CVE-2026-21519: Windows Desktop Window Manager privilege escalation (local)
- CVE-2026-21533: Windows Remote Desktop Services privilege escalation to SYSTEM
- CVE-2026-21525: Remote Access Connection Manager (RASMAN) DoS—can disrupt VPN sessions
- CVE-2026-21510: Windows SmartScreen bypass
- CVE-2026-21513/21514: Internet Explorer and Office security bypass/code execution
CPS relevance: The RASMAN DoS vulnerability (CVE-2026-21525) could disrupt remote access VPN connections used for remote OT maintenance, and the RDS privilege escalation (CVE-2026-21533) is relevant for jump hosts and remote desktop gateways in industrial environments.
Automotive CPS Security
VicOne 2026 Automotive Cybersecurity Report
VicOne released its 2026 Automotive Cybersecurity Report, finding that cross-region, multi-business cyber incidents more than tripled in 2025, accounting for 161 of 610 recorded cases. Key findings:
- Centralized software platforms and OTA update infrastructures amplify the impact of a single breach across subsidiaries and regions
- Cyber incidents now routinely span enterprise IT, cloud services, and in-vehicle systems simultaneously
- A single compromised supplier or component can cause recalls, delays, or security failures across multiple vehicle lines
- Domain-specific compliance alone cannot address cross-platform risk propagation in modern software-defined vehicle architectures
Automotive ISAC: Dynamic Vehicle Cybersecurity Testing
The Automotive ISAC February community call focused on dynamic vehicle cybersecurity testing use cases, highlighting the limitations of static laboratory testing for validating ECU, ADAS, sensor, and V2X security. Key discussion points:
- Penetration testing during vehicle motion reveals vulnerabilities that only appear under real driving conditions (acceleration, braking, environmental variation)
- State-dependent fuzzing, sensor/signal spoofing, and V2X attack scenario evaluation require proving-ground environments
- The industry is moving toward combined proving-ground and cybersecurity platform ecosystems for repeatable, realistic testing
Pwn2Own Automotive 2026: Disclosure Windows Active
Vendors affected by the 76 zero-day vulnerabilities discovered at Pwn2Own Automotive 2026 (January 21–23) are now within their 90-day disclosure windows. Affected systems include Tesla Infotainment, Alpitronic HYC50 charging stations, ChargePoint Home Flex, Autel MaxiCharger, Grizzl-E Smart chargers, Kenwood navigation receivers, and AGL-based IVI systems. Patches are expected to begin appearing in late February through April 2026.
Medical Device CPS Security
CISA Medical Device Advisory: ZOLL ePCR
CISA published ICSMA-26-041-01 on February 10, disclosing a reflected cross-site scripting vulnerability in the ZOLL ePCR iOS Mobile Application (version 2.6.7):
- CVE-2025-12699: Attacker-controlled strings placed into patient care record fields (run number, incident, call sign, notes) are interpreted as HTML/JavaScript when the app renders or prints content
- Impact: Unauthorized access to protected health information (PHI) or device telemetry
- CVSS v4.0: 6.7 (Medium)—local attack vector, low complexity
- No public exploitation reported
FDA Cybersecurity Guidance Officially Supersedes Prior Version
On February 10, the FDA officially issued the final version of its updated guidance on “Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions,” superseding the June 2025 version. Key changes:
- Aligns with the new QMSR (effective February 2, 2026) which incorporates ISO 13485 by reference
- SBOM requirements are now statutory for “cyber devices”: machine-readable inventories of all software components with support lifecycle dates
- Premarket submissions must include a Global System View, Multi-Patient Harm View, and Updatability/Patchability View
- Applies to all 510(k), De Novo, PMA, PDP, and HDE submissions
Water & Wastewater Sector
No major new incidents were reported targeting water/wastewater infrastructure during this reporting period. However, the CISA BOD 26-02 on edge device security and the NCSC “severe threat” warning (see below) both carry direct implications for the sector, which has been repeatedly targeted by pro-Russia hacktivists via exposed HMIs and VNC interfaces throughout 2025 and into 2026.
Ongoing concern: The Forescout-documented TwoNet hacktivist group continues probing water utility SCADA systems, and CISA’s edge device directive may help address the exposed VNC and HMI interfaces that serve as primary attack vectors.
Energy & Power Grid
CISA Warning Following Poland Grid Attack
Triggered by the December 2025 DynoWiper attack on Poland’s energy grid, CISA issued a direct warning to U.S. critical infrastructure operators this week, highlighting lessons learned:
- Internet-facing edge devices remain the primary initial access vector
- Default credentials on OT devices enabled lateral movement
- Wiper malware destroyed data on HMIs and corrupted firmware on RTUs
- The attack caused loss of view and control between facilities and distribution system operators
Attribution update: While Poland’s CERT attributed the attack to Berserk Bear, ESET attributed it with medium confidence to Sandworm (GRU Unit 74455), based on analysis of the DynoWiper malware and associated TTPs. This represents the first major cyberattack specifically targeting distributed energy resources (DERs)—the smaller wind, solar, and CHP facilities increasingly integrated into modern grids.
UK NCSC “Severe Threat” Warning
On February 13, NCSC Director for National Resilience Jonathon Ellison urged critical national infrastructure operators to “act now” against “severe” cyber threats, defined as “a deliberate and highly disruptive or destructive cyber-attack.” The warning specifically referenced:
- Attempts to shut down or damage critical operations
- Physical damage to ICS
- Data erasure to make service recovery impossible
The NCSC issued guidance on threat monitoring, network activity awareness, situational awareness, and network defense hardening.
Pickett & Associates Breach: Supply Chain Impact Continues
The 130 GB breach of Pickett & Associates (disclosed January 2026) continues to have ripple effects, with Duke Energy confirming it has begun investigating the cybercriminal’s claims. The stolen data—including classified LiDAR point cloud files, orthophotos, transmission line/substation coverage, and MicroStation design files for American Electric, Duke Energy Florida, and Tampa Electric—remains listed for sale at 6.5 BTC (~$580,000). This incident underscores the “extended enterprise” risk where utility security depends on the weakest link in their third-party vendor ecosystem.
Manufacturing & Industrial
OT Ransomware Increasingly Mainstream
SC Media reported that ransomware attacks against OT systems are expected to transition from predominantly nation-state operations to mainstream cybercriminal activity in 2026. Key factors:
- OT systems are often unpatched, carry known vulnerabilities, and lack monitoring
- IT/OT gateways remain “notoriously insecure”
- The ransomware-as-a-service (RaaS) model is expanding into OT environments
- Half of 2025 ransomware attacks targeted critical sectors, with manufacturing, healthcare, and energy as top targets
- European manufacturers experienced 90% more data breaches year-over-year
Threat Intelligence Highlights
CISA’s Edge Device Focus Reflects Threat Actor TTPs
The new BOD 26-02 directly addresses the attack pattern seen in Poland and elsewhere: advanced threat actors gaining initial access through vulnerable, internet-facing edge devices (routers, firewalls, VPN appliances) and then pivoting to OT networks. This pattern has been employed by:
- Sandworm/Electrum (Russia/GRU): Poland energy grid attack via vulnerable edge devices with default credentials
- Volt Typhoon (China): Pre-positioning in U.S. critical infrastructure via end-of-life SOHO routers
- UAT-8837 (China-nexus): Targeting North American critical infrastructure sectors
Pro-Russia Hacktivism Remains Elevated
The Cyble 2025 threat report noted that hacktivist groups—particularly Z-Pentest, CARR, NoName057(16), and Sector16—increasingly focused on ICS and OT attacks throughout 2025, a trend continuing into 2026. Predictions for 2026 include increased targeting of exposed HMI/SCADA systems and VNC takeover attempts.
ICS Vulnerability Disclosure Rates Remain High
The Cyble CIRL report tracking ICS vulnerability disclosures found 2,451 vulnerabilities across 152 vendors in 2025—nearly double the 1,690 across 103 vendors in 2024. This trend shows no sign of slowing in 2026, with February’s Patch Tuesday alone covering four major vendors.
Defensive Recommendations
Edge device audit (Critical): Inventory all network edge devices (firewalls, routers, VPN appliances, IoT gateways) at IT/OT boundaries. Replace end-of-life devices and ensure all supported devices run current firmware. Change all default credentials immediately. (CISA BOD 26-02)
ICS Patch Tuesday deployment: Apply Siemens, Schneider Electric, AVEVA, and Phoenix Contact patches promptly, prioritizing SINEC NMS (CVE-2026-25655/25656), Desigo CC/SENTRON Powermanager, and Phoenix Contact TC Router/Cloud Client.
Microsoft patching (Deadline: March 3): Prioritize the six actively exploited zero-days, particularly CVE-2026-21533 (RDS privilege escalation) and CVE-2026-21525 (RASMAN DoS) in OT-adjacent environments.
Medical device SBOM compliance: Device manufacturers must integrate SBOM documentation into premarket submissions under the updated FDA guidance. Healthcare organizations should request SBOMs from device vendors.
OT network segmentation: Ensure ICS/SCADA systems are behind firewalls, isolated from business networks, and not directly accessible from the internet. Use VPNs for remote access with MFA enabled.
HMI/SCADA exposure review: Audit for any internet-exposed HMIs, VNC interfaces, or SCADA systems. Pro-Russia hacktivists and other threat actors continue to actively scan for and exploit these.
Third-party vendor risk assessment: The Pickett & Associates breach demonstrates that engineering firms and other vendors with access to critical infrastructure data represent significant supply chain risk. Review data-sharing agreements and vendor security postures.