Executive Summary

The most consequential CPS/ICS development this week was the convergence of two alarming trends: the DHS partial shutdown that reduced CISA to 38% staffing—halting proactive vulnerability scanning, security assessments, and stakeholder engagement—precisely as the Dragos 2026 OT Cybersecurity Year in Review revealed that adversaries have progressed from pre-positioning to actively mapping industrial control loops, with Volt Typhoon operatives still embedded inside U.S. electric and water utilities. CISA nonetheless published eight ICS advisories across two batches, including a critical 9.8-severity authentication bypass in Honeywell CCTV systems, a 9.8-severity flaw in Welker natural gas odorization controllers where the vendor failed to respond to disclosure, and critical vulnerabilities in an end-of-life Chinese IoT serial-to-WiFi device with no patch forthcoming. Meanwhile, Upstream Security’s 2026 automotive report showed ransomware attacks on automotive and smart mobility more than doubled year-over-year, and the Munich Security Report placed cyberattacks at the top of the G7 risk index for the first time.

This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.

Week of February 13 - February 20, 2026

Critical Alerts & Advisories

CISA Shutdown: Operating at 38% Capacity

The partial DHS shutdown that began on February 14 due to a lapse in appropriations has severely degraded CISA’s operational capacity. The agency is currently running with just 888 of its 2,341 staff—roughly 38%—after furloughing the majority of its workforce. Proactive vulnerability scanning of federal networks and critical infrastructure has stopped, security assessments for government agencies and critical infrastructure partners are suspended, cybersecurity guidance development is paused, and training exercises and stakeholder engagements have been cancelled. Work on finalizing the CIRCIA cyber incident reporting rule has also likely halted. This comes on top of the roughly 1,000 staff members CISA had already lost under workforce reduction programs earlier in 2025, meaning the agency has effectively lost two-thirds of its capacity relative to a year ago. Former CISA officials have warned that adversaries may view the shutdown as an opportunity to probe defenses or exploit coordination gaps, and the slowdown in proactive services could widen risk exposure across both government networks and privately operated critical infrastructure.

CISA ICS Advisories: February 17 Batch

CISA published four ICS advisories on February 17, covering products from Siemens, Delta Electronics, GE Vernova, and Honeywell.

The most critical was the Honeywell CCTV advisory (ICSA-26-048-04), which disclosed CVE-2026-1670, a missing authentication vulnerability in multiple Honeywell IP camera models including the I-HIB2PI-UL 2MP and several SMB NDAA-compliant cameras. An unauthenticated API endpoint allows a remote attacker to change the “forgot password” recovery email address, enabling account takeovers and unauthorized access to camera feeds. With a CVSS v3.1 score of 9.8 (Critical) and a network-accessible attack vector requiring no privileges or user interaction, this vulnerability poses a direct risk to physical security monitoring in industrial facilities, critical infrastructure sites, and any environment relying on Honeywell CCTV for perimeter or process surveillance.

GE Vernova’s Enervista UR Setup advisory (ICSA-26-048-03) disclosed two vulnerabilities in the relay configuration tool used across energy, water/wastewater, and critical manufacturing sectors worldwide. CVE-2026-1762, a DLL hijacking flaw scoring 7.8, allows local attackers to achieve code execution with administrative privileges when the installer runs in a location containing untrusted DLLs. CVE-2026-1763, a path traversal issue, permits writing to filesystem files with logged-in user privileges. GE Vernova recommends upgrading to version 8.70 or later. Notably, these vulnerabilities were reported by Reid Wightman of Dragos, reflecting the OT security firm’s ongoing focus on relay and protection device security.

The Siemens Simcenter Femap and Nastran advisory (ICSA-26-048-01) addressed six CVEs (CVE-2026-23715 through CVE-2026-23720) involving file parsing vulnerabilities in NDB and XDB formats that could lead to application crashes or arbitrary code execution if a user opens a malicious file. Delta Electronics’ ASDA-Soft advisory (ICSA-26-048-02) covered CVE-2026-1361, a stack-based buffer overflow when parsing .par files that could corrupt a structured exception handler, though exploitation requires local access and user interaction. Delta has released version 7.2.2.0 as a fix.

CISA ICS Advisories: February 19 Batch

On February 19, CISA released four additional ICS advisories. The EnOcean SmartServer IoT advisory (ICSA-26-050-01) disclosed CVE-2026-20761, a command injection vulnerability scoring 8.1 (High) that allows remote attackers to send malicious LON IP-852 management messages for arbitrary OS command execution on SmartServer IoT devices running version 4.60.009 and earlier. EnOcean SmartServer IoT devices are used in building automation for lighting, HVAC, and occupancy management—sectors where compromise could affect physical comfort, energy management, and potentially safety systems. A second vulnerability, CVE-2026-22885, permits memory leakage through crafted IP-852 messages. EnOcean recommends updating to SmartServer 4.6 Update 2 (v4.60.023).

The Valmet DNA Engineering Web Tools advisory (ICSA-26-050-02) disclosed CVE-2025-15577, a path traversal vulnerability scoring 8.6 (High) that allows unauthenticated attackers to manipulate URLs for arbitrary file read access on systems running version C2022 and earlier. Valmet DNA is a distributed control system widely deployed in energy and critical manufacturing environments, making this a significant exposure for process control networks.

The Jinan USR IOT Technology (PUSR) USR-W610 serial-to-WiFi converter advisory (ICSA-26-050-03) carried four CVEs including CVE-2026-25715 at 9.8 Critical severity. This device, used in critical manufacturing worldwide, allows administrator credentials to be set to blank, permits cleartext credential transmission, and has a missing authentication flaw for critical functions. The vendor has declared the product end-of-life with no plans to release patches, meaning every deployed USR-W610 at version 3.1.1.0 or earlier remains permanently vulnerable. CISA recommends network isolation, firewall protection, and VPN deployment as the only available mitigations.

Perhaps the most alarming advisory of the week was for the Welker OdorEyes EcoSystem Pulse Bypass System with XL4 Controller (ICSA-26-050-04), which disclosed CVE-2026-24790—a missing authentication vulnerability scoring 9.8 Critical in industrial controllers used for natural gas odorization. An unauthenticated remote attacker can manipulate PLC logic to trigger over- or under-odorization events, with direct safety implications: natural gas is odorized specifically so that leaks can be detected by smell, and tampering with this process could mask dangerous gas leaks or cause false alarms. The advisory affects the chemical, critical manufacturing, energy, and food/agriculture sectors. Critically, the vendor did not respond to CISA’s coordinated disclosure attempts, leaving no patch available and no vendor mitigation guidance.

Automotive CPS Security

Upstream Security 2026 Global Automotive Cybersecurity Report

Upstream Security released its 2026 Global Automotive and Smart Mobility Cybersecurity Report on February 18, analyzing 494 publicly reported incidents worldwide and documenting what it describes as a “material escalation” in risk. Ransomware-related incidents accounted for 44% of all reported attacks, more than doubling from 2024 levels. The report found that 92% of automotive cyberattacks were conducted remotely, with 86% requiring no physical proximity to vehicles or systems. Perhaps most striking, 61% of incidents had the potential to affect thousands to millions of mobility assets, with 20% classified as massive-scale events. The rapid adoption of AI and large language models is fundamentally changing how cybersecurity risks emerge across the automotive ecosystem, with threat actors increasingly leveraging AI-powered attack methods targeting not only vehicles but also EV charging infrastructure, API-driven applications, and smart mobility IoT devices.

Kaspersky ICS CERT: Automotive Industry Risk Forecast

On February 19, Kaspersky ICS CERT published its risk assessment for the automotive industry in 2026, warning that financially motivated attackers will continue targeting automobile manufacturer infrastructure with attacks that could result in production shutdowns or theft of confidential data. The report highlights supply chain attacks via compromised contractor systems as the dominant trend, and notes that new vehicle theft vulnerabilities are expected to surface across CAN bus, OBD and Ethernet ports, NFC modules, Wi-Fi and Bluetooth chips, and LTE modems. In one documented case, attackers connected to a vehicle’s CAN bus through a headlight assembly and subsequently gained access to the engine starter system. Kaspersky also flagged attacks on EV charging station cloud infrastructure as a growing concern, with direct theft of electricity and customer data both viable attack objectives, and warned that road infrastructure such as traffic safety cameras remain attractive targets—citing a 2025 incident where a cyberattack disabled traffic cameras across the Netherlands.

Pwn2Own Automotive 2026: Disclosure Windows Active

The 90-day disclosure windows for the 76 zero-day vulnerabilities discovered at Pwn2Own Automotive 2026 (January 21–23) continue to run. Affected systems include Tesla Infotainment, Alpitronic HYC50 charging stations, ChargePoint Home Flex, Autel MaxiCharger, Grizzl-E Smart chargers, Kenwood navigation receivers, and AGL-based IVI systems. Patches are expected to begin appearing through late February and into April 2026.

Medical Device CPS Security

University of Mississippi Medical Center Ransomware Attack

On February 19, a ransomware attack struck the University of Mississippi Medical Center (UMMC), forcing the closure of all 35 statewide clinics, cancellation of surgeries, and rescheduling of appointments. The EPIC electronic medical record system was taken offline, and county health departments reverted to paper charts. The FBI is surging resources and three national cyber forensics firms have been engaged. The ransomware group has made contact with UMMC but has not been publicly identified. This is the fourth Mississippi hospital system targeted in three years, underscoring the persistent vulnerability of healthcare organizations where IT system compromise directly affects clinical operations and patient care—the core cyber-physical intersection in medical environments.

FDA Cybersecurity Guidance and CISA Capacity

No new CISA medical device advisories (ICSMA) were published during this reporting period, and the CISA shutdown raises concerns about the agency’s ability to process and publish medical device vulnerability disclosures in a timely manner. The FDA’s updated cybersecurity guidance aligning with the new QMSR, which took effect February 2, continues to reshape premarket submission requirements. The FDA is expected to intensify its focus on medical device cybersecurity throughout 2026, with SBOM requirements now statutory for all “cyber devices” and premarket submissions required to include Global System Views, Multi-Patient Harm Views, and Updatability/Patchability Views. Device manufacturers should note that cybersecurity documentation must now be integrated from the earliest design phases rather than treated as a last-stage checkbox.

Water & Wastewater Sector

No new water-sector-specific incidents were reported during this period, but a Senate Environment and Public Works Committee hearing on water cybersecurity underscored the scale of the challenge: Senator Whitehouse warned that current efforts are “wholly insufficient” against state-sponsored actors, noting that fewer than 25% of water/wastewater utilities conduct annual cyber risk assessments and over 70% of inspected systems violate fundamental security requirements including default password use and improper access management. Nearly 170,000 water systems across the country face growing cyber risk as they modernize, and the Dragos 2026 report (see Threat Intelligence Highlights below) delivered a sobering assessment of the sector’s exposure. Dragos CEO Rob Lee stated bluntly that for critical public utilities in the water sector, “it is likely they will never reach the level of sophistication where they would be able to find and remove Volt Typhoon compromises,” and that the community must “live with the reality that a portion of our infrastructure is currently compromised and will remain compromised at the current trajectory.” The GE Vernova Enervista UR Setup vulnerabilities disclosed this week are directly relevant to water/wastewater operators, as the advisory explicitly lists the sector among those affected. The CISA shutdown further compounds risks, as proactive scanning and assessment services that water utilities depend on are now suspended.

Energy & Power Grid

Munich Security Report: The Grid as Battlefield

The Munich Security Report 2026, released during the annual conference this week, placed cyberattacks at the top of the G7 risk index for the first time, with Germany scoring 75/100 on cyber risk and 39% of respondents feeling unprepared, and the UK at 74/100—a five-point increase from 2024. The report documents Russia’s increasingly blended cyber-kinetic operations against European energy grids as part of an intensifying hybrid warfare campaign, combining cyberattacks on energy delivery systems with kinetic sabotage, arson, drone intrusions (approximately 20 Russian drones violated Polish airspace in September 2025 alone), and military airspace violations. Intelligence estimates cited in the report suggest Russia could launch a localized operation against a single European neighbor within six months of a potential Ukraine ceasefire, likely accompanied by intensified cyber operations against energy infrastructure.

Syria Infrastructure Attack Ripple Effects

The February 6 cyberattack that crippled Syrian electrical networks, water supply, and communication systems—slashing internet services by 75%—continued to reverberate this week. Investigators traced the attack to a technological organization operating from the Damascus area, making it the most recent in a string of 17 cyberattacks targeting Syrian infrastructure in recent months. The incident demonstrates how post-conflict states with fragile digital infrastructure remain acutely vulnerable to attacks that bridge the cyber-physical divide across power, water, and communications simultaneously.

Valmet DNA Path Traversal: Energy Sector Impact

The Valmet DNA Engineering Web Tools path traversal vulnerability (CVE-2025-15577, CVSS 8.6) disclosed in this week’s CISA advisory directly affects the energy sector. Valmet DNA is a distributed control system deployed in power generation and pulp/paper manufacturing worldwide. Unauthenticated arbitrary file read access to DCS engineering workstations could expose process configurations, network architecture details, and credentials—information that would be invaluable for an adversary conducting reconnaissance for a deeper OT intrusion.

Manufacturing & Industrial

Dragos 2026 OT Cybersecurity Year in Review

Dragos released its annual OT cybersecurity report on February 17, providing the most comprehensive view of the industrial threat landscape available. The headline finding: adversaries have moved beyond pre-positioning and reconnaissance to actively mapping control loops and understanding how to manipulate physical processes. Dragos now tracks 26 threat groups worldwide, 11 of which were active in 2025, including three newly identified groups. SYLVANITE operates as an initial access broker, rapidly weaponizing vulnerabilities and handing off established footholds to VOLTZITE (the Dragos designation for Volt Typhoon) for deeper OT intrusions—Dragos directly observed SYLVANITE conducting incident response at U.S. electric and water utilities. PYROXENE conducts supply chain compromises and social engineering targeting aviation, aerospace, defense, and maritime sectors across the U.S., Western Europe, Israel, and the UAE. AZURITE focuses on long-term access and OT data theft, targeting OT engineering workstations and exfiltrating network diagrams, alarm data, and process information across manufacturing, defense, automotive, and energy sectors—Dragos noted overlaps between AZURITE and Flax Typhoon, the PRC-linked group recently sanctioned by the U.S. Treasury.

Ransomware groups targeting industrial organizations surged 49% year-over-year, with 119 groups (up from 80 in 2024) collectively impacting 3,300 organizations globally. Manufacturing accounted for more than two-thirds of all victims. The industry-wide average dwell time for ransomware in OT environments was 42 days, but organizations with comprehensive OT visibility detected and contained incidents in an average of just 5 days. A striking 73% of OT intrusions involved exploitation or credential reuse of VPNs, jump hosts, and remote access points—the very infrastructure intended to secure remote OT access. Dragos also found that 82% of organizations lack clear criteria for when operational anomalies should trigger cyber investigations, and that 25% of ICS-CERT and NVD vulnerability advisories had incorrect CVSS scores in 2025, with 26% containing no patch or mitigation from vendors.

End-of-Life IoT in Manufacturing: USR-W610

The PUSR USR-W610 serial-to-WiFi converter advisory (ICSA-26-050-03) underscores a persistent challenge in manufacturing environments: end-of-life IoT devices with critical vulnerabilities and no vendor support. The USR-W610 is a Chinese-manufactured device used to bridge serial RS232/RS485 equipment to WiFi networks—exactly the type of device commonly found connecting legacy industrial equipment to modern networks. With four CVEs including a 9.8 Critical authentication bypass and the vendor declining to patch, every deployed unit represents a permanent network entry point. This aligns directly with CISA’s BOD 26-02 (from week 07) requiring agencies to inventory and replace end-of-life edge devices.

Threat Intelligence Highlights

Volt Typhoon: Still Inside U.S. Utilities

The most alarming finding from the Dragos 2026 report is the confirmation that Volt Typhoon operatives—tracked by Dragos as VOLTZITE—remain actively embedded in U.S. critical infrastructure. Rob Lee stated that VOLTZITE operatives “are still very active, and they’re still absolutely mapping out and getting into embedding in U.S.” critical infrastructure. In 2025, VOLTZITE continued embedding inside strategic American utilities “to maintain long-term persistence,” with operatives getting inside the control loop systems that manage utilities’ industrial processes. The PRC-backed crew’s primary focus is causing future disruption. The newly identified SYLVANITE group functions as an initial access broker feeding footholds directly to VOLTZITE, creating a coordinated two-stage intrusion pipeline targeting U.S. electric and water utilities.

Salt Typhoon: FBI Confirms Ongoing Threat Across 80+ Countries

On February 19, FBI Deputy Assistant Director Michael Machtinger stated at CyberTalks that Salt Typhoon’s campaign remains “still very, very much ongoing” and has impacted more than 80 countries with “indiscriminate” targeting of telecommunications infrastructure. Earlier in February, Norway’s Police Security Service confirmed Salt Typhoon compromised network devices in Norwegian organizations, and Singapore disclosed that UNC3886 (associated with Salt Typhoon) targeted the country’s four largest telecom companies, prompting Singapore’s “largest multi-agency cyber operation” in response. While Salt Typhoon’s primary targets are telecommunications rather than ICS/OT, compromised telecom infrastructure directly affects the communications networks that critical infrastructure operators depend on for SCADA telemetry, remote monitoring, and emergency coordination.

ELECTRUM: Destructive Operations Continue

The Dragos report documented ELECTRUM (the group behind the Sandworm-attributed Poland grid attack covered in week 07) conducting multiple destructive operations throughout 2025, including a coordinated attack against eight Ukrainian ISPs in May and deployment of new wiper malware variants. The progression from the Poland DER attack to ongoing wiper development indicates that destructive OT-targeting capabilities continue to mature.

Nozomi Networks OT/IoT Threat Report

Nozomi Networks Labs released its OT/IoT cybersecurity trends report on February 19, finding that 70% of ransomware activity targets English-speaking countries (40% U.S., 30% Canada/UK combined), and that a third of all honeypot attacks originated from China. The report revealed that 14% of observed OT networks use open or legacy security modes, and 68% of wireless OT networks lack Management Frame Protection—leaving building automation, manufacturing, and utility environments exposed to adversary-in-the-middle attacks, which were associated with over 25% of all alerts observed.

CISA Shutdown: Intelligence and Coordination Gap

The CISA shutdown creates a significant intelligence-sharing gap at a critical moment. With proactive vulnerability scanning halted, security assessments suspended, and stakeholder engagement cancelled, critical infrastructure operators—particularly smaller water utilities and municipal power systems—lose a key source of threat intelligence and coordination. This gap is especially concerning given the active Volt Typhoon presence in U.S. utilities and the elevated threat level documented by the Munich Security Report.

Defensive Recommendations

Honeywell CCTV patching (Critical): Organizations using Honeywell I-HIB2PI-UL, SMB NDAA MVO-3, PTZ WDR 2MP, or 25M IPC cameras should contact Honeywell immediately for patch information. The CVE-2026-1670 authentication bypass (CVSS 9.8) allows unauthenticated remote account takeover. Until patched, isolate camera management interfaces from general network access.
Welker OdorEyes XL4 isolation (Critical): Natural gas operators using Welker OdorEyes EcoSystem Pulse Bypass systems must immediately isolate XL4 controllers from network access. The CVE-2026-24790 authentication bypass (CVSS 9.8) allows unauthenticated manipulation of odorization PLC logic with direct safety implications. No vendor patch exists.
End-of-life IoT audit: Inventory all serial-to-WiFi converters, protocol gateways, and similar edge devices in OT environments. Any PUSR USR-W610 units should be isolated behind firewalls immediately and slated for replacement, as the vendor has declared end-of-life with no patches. This applies broadly to all similar devices per CISA BOD 26-02.
GE Vernova Enervista UR Setup upgrade: Energy, water/wastewater, and manufacturing operators using Enervista UR Setup should upgrade to version 8.70 or later to address the DLL hijacking (CVE-2026-1762) and path traversal (CVE-2026-1763) vulnerabilities.
Valmet DNA Engineering Web Tools: Energy and manufacturing operators running Valmet DNA version C2022 or earlier should contact Valmet’s automation customer service for the path traversal fix (CVE-2025-15577). Restrict network access to DCS engineering workstations immediately.
EnOcean SmartServer IoT update: Building automation operators should update to SmartServer 4.6 Update 2 (v4.60.023) to address the command injection vulnerability (CVE-2026-20761, CVSS 8.1) in IP-852 management.
OT visibility investment: The Dragos finding that comprehensive OT visibility reduces ransomware dwell time from 42 days to 5 days provides a clear business case for network monitoring investments. Establish clear criteria for when operational anomalies should trigger cyber investigations.
CISA shutdown contingency: With CISA operating at reduced capacity, critical infrastructure operators should increase reliance on sector-specific ISACs, vendor threat intelligence feeds, and commercial OT security providers for threat intelligence and vulnerability awareness during the shutdown period.

News Summary week 08, 2026