News Summary week 10, 2026

Iran-aligned threat actors escalated cyberattacks against critical infrastructure following Operation Epic Fury, while CISA—operating at reduced capacity during the DHS shutdown—issued nine ICS advisories covering Hitachi Energy RTU500 substation controllers, Mitsubishi MELSEC PLCs, wind turbine ice detectors, and a continued wave of EV charging platform vulnerabilities.
threat-intelligence
ICS
CPS
automotive
medical-devices
Published

March 7, 2026

Executive Summary

The week was dominated by a dramatic geopolitical escalation as Operation Epic Fury—a joint U.S.–Israeli strike campaign launched February 28—triggered an immediate Iranian cyber counteroffensive targeting critical infrastructure across Israel, the Gulf states, and organizations with Western ties, with CyberAv3ngers, Handala, and approximately 60 hacktivist groups conducting operations against energy, water, and industrial targets. CISA published nine new ICS advisories on March 3 and 5 covering products from Hitachi Energy, Mitsubishi Electric, Delta Electronics, Labkotec, and Portwell Engineering, while also extending its coordinated EV charging platform disclosure with three additional vendors. The agency continues to operate under severe constraints—having lost roughly one-third of its workforce and operating under a DHS shutdown with a leadership reshuffle—at precisely the moment when nation-state cyber threats against operational technology are escalating most sharply.

This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.

Week of February 27 – March 6, 2026

Critical Alerts & Advisories

CISA published nine ICS advisories across two releases this week, despite continuing to operate at reduced capacity during the DHS funding lapse. The March 3 batch contained eight advisories, and a single advisory followed on March 5.

The most operationally significant advisory addressed the Hitachi Energy RTU500 series (ICSA-26-062-03), which disclosed four vulnerabilities in the CMU firmware used in substation automation and power grid monitoring. CVE-2026-1773, scored at CVSS 7.5, enables a denial-of-service condition through invalid U-format frames in the IEC 60870-5-104 telecontrol protocol—a protocol fundamental to power grid SCADA communications—though only systems configured for bidirectional operation are affected. Two additional high-severity vulnerabilities, CVE-2024-8176 and CVE-2025-59375 (both CVSS 7.5), stem from stack overflow and memory allocation flaws in the libexpat XML parsing library and affect systems running IEC 61850 communications. A fourth issue, CVE-2026-1772 (CVSS 4.3), allows unprivileged users to read user management information through browser development tools. Hitachi Energy has released patched firmware versions 12.7.8, 13.7.8, and 13.8.2, and operators of RTU500 systems in energy infrastructure should prioritize these updates.

The companion Hitachi Energy advisory for the Relion REB500 protection and control platform (ICSA-26-062-02) disclosed two medium-severity privilege escalation vulnerabilities. CVE-2026-2459 (CVSS 6.5) allows authenticated users with the Installer role to access and modify unauthorized directory contents, while CVE-2026-2460 (CVSS 6.8) permits low-privilege users to exploit the DAC protocol for similar unauthorized access. Hitachi Energy has released version 8.3.3.1 and recommends disabling the Installer role except during firmware updates.

Mitsubishi Electric’s MELSEC iQ-F Series received an advisory (ICSA-26-062-01) addressing two denial-of-service vulnerabilities in the FX5-ENET/IP and FX5-EIP Ethernet modules. CVE-2026-1874 exploits an always-incorrect control flow implementation, and CVE-2026-1876 targets improper resource shutdown, both triggered by continuous UDP packet flooding. The CVSS 4.0 base score of 8.7 reflects the ease of remote exploitation without authentication. These PLCs are widely deployed in manufacturing automation, and a successful denial-of-service attack could halt production lines. Mitsubishi has released firmware version 1.107 for the FX5-ENET/IP module, though a fix for the FX5-EIP remains pending.

Delta Electronics CNCSoft-G2 (ICSA-26-064-01) received an advisory for CVE-2026-3094 (CVSS 7.8), an out-of-bounds write vulnerability in the DOPSoft component when processing DPAX files that could enable remote code execution. While exploitation requires local access and user interaction with a malicious file, the impact—full compromise of confidentiality, integrity, and availability—makes this a serious concern for manufacturing environments using Delta’s CNC machining software. Delta has released version 2.1.0.39 to address the flaw.

The Labkotec LID-3300IP ice detector advisory (ICSA-26-062-05) stands out for its unusual target: a sensor used on wind turbines and meteorological stations to detect icing conditions that threaten turbine blade integrity and public safety. CVE-2026-1775 (CVSS 9.4) is a critical missing-authentication vulnerability that allows unauthenticated attackers to send specially crafted packets that alter device parameters and execute operational commands. Labkotec has manufactured over 10,000 ice detection systems deployed worldwide, and the vulnerability affects all versions of the original LID-3300IP model and Type 2 versions prior to V2.20. Given the recent Poland DER cyberattack that specifically targeted wind farm infrastructure, this vulnerability takes on heightened significance—an attacker could manipulate ice detection thresholds, suppressing safety shutdowns or triggering spurious blade heating cycles that waste energy and reduce turbine availability.

The Portwell Engineering Toolkits advisory (ICSA-26-062-04) disclosed CVE-2026-3437 (CVSS 9.3), a critical memory buffer vulnerability in version 4.8.2 that enables local authenticated attackers to read and write arbitrary memory through the Portwell driver, potentially escalating privileges or causing denial-of-service. Portwell, like the InSAT MasterSCADA vendor disclosed in week 09, has not responded to CISA’s coordination requests—a troubling pattern of vendor non-responsiveness in the ICS space.

EV Charging Infrastructure: Continued Coordinated Disclosure

CISA extended its unprecedented coordinated EV charging vulnerability disclosure with three new advisories on March 3, bringing the total to nine vendors affected across two weeks. The new additions—Everon (Netherlands, ICSA-26-062-08), ePower (Ireland, ICSA-26-062-07), and Mobiliti (Hungary, ICSA-26-062-06)—share the identical OCPP WebSocket vulnerability pattern first disclosed on February 26: missing authentication for critical functions, insufficient restrictions on authentication attempts, predictable session identifiers enabling session hijacking, and insufficiently protected credentials. Notably, Everon shut down its platform entirely on December 1, 2025, while ePower did not respond to CISA’s coordination attempts. The cumulative picture across all nine vendors now represents a systemic failure in the EV charging ecosystem’s implementation of the OCPP standard, spanning companies across Sweden, the UK, France, Ireland, Hungary, and the Netherlands. The common attack scenario remains unchanged: adversaries can impersonate charging stations, hijack active sessions, suppress legitimate traffic, and manipulate data flowing to backend energy management systems.

Automotive CPS Security

The Automotive ISAC held its March 2026 community call focused on post-quantum cryptography (PQC) transition challenges for automotive embedded systems in the software-defined vehicle era. The discussion, informed by Valeo’s research as part of an EU-funded project spanning automotive, aerospace, and IoT industries, addressed a fundamental challenge: how to migrate long-lifecycle vehicles with heterogeneous embedded platforms—from high-performance domain controllers to resource-constrained ECUs—to quantum-resistant algorithms before cryptographically relevant quantum computers arrive. The ISAC’s migration strategy prioritizes immediate PQC readiness for all asymmetric schemes protecting network-exposed use cases, recognizing their vulnerability to remote quantum adversaries, and includes a novel lightweight countermeasure designed to protect ML-KEM implementations against recent side-channel attacks. The strategy also advocates for integrating secure boot and secure update mechanisms into a hybrid symmetric/asymmetric authentication scheme that preserves acceptable boot times throughout a vehicle’s operational lifetime.

Upstream Security’s 2026 Global Automotive and Smart Mobility Cybersecurity Report, released February 18 with continued coverage this week, documented 494 publicly reported incidents in 2025 with ransomware doubling year-over-year to account for 44% of all incidents. The report revealed a particularly alarming development: ransomware operators in mid-2025 began targeting vehicles directly, accessing remote command-and-control systems through companion apps to lock owners out, seize control of ignition and door locks, and demand ransom—moving beyond traditional IT-focused extortion into the physical domain. Ninety-two percent of attacks were conducted remotely, with 67% involving telematics and cloud systems as attack vectors, and 61% having the potential to impact thousands to millions of mobility assets.

Kaspersky ICS CERT published its 2026 risk assessment for the automotive sector on February 19, warning that attacks on car fleets—carsharing, taxi, and leasing companies—could enable mass remote vehicle immobilization via fleet management modules designed for legitimate remote stopping. The report described a specific case where attackers directed dozens of taxi drivers simultaneously to a single location, creating a traffic jam, and predicted that 2026 would bring escalating incidents targeting smart transportation systems, vessels, trains, public transit, and smart buildings.

Medical Device CPS Security

The FDA’s updated cybersecurity guidance, issued February 10 as “Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions,” became the dominant regulatory development for the medical device sector during this period. The guidance, which supersedes the June 2025 version, aligns with the Quality Management System Regulation (QMSR) that took effect February 2, 2026, harmonizing FDA’s quality system requirements with ISO 13485:2016. For device makers preparing 510(k), De Novo, PMA, or related submissions in 2026, cybersecurity documentation—including risk analyses, test results, software bills of materials, patching capabilities, and encryption implementations—must now be integrated from the earliest design phases. Industry observers expect the FDA to shift its focus from reviewing pre-market paperwork under Section 524B to actively auditing the real-world effectiveness of post-market security processes, a significant operational change that will require medical device manufacturers to demonstrate ongoing cybersecurity vigilance rather than point-in-time compliance.

The broader healthcare cybersecurity landscape remains under severe pressure. Research indicates that 53% of connected medical devices and IoT systems in hospitals carry known critical vulnerabilities, approximately one-third of healthcare IoT devices have identified critical risks, and 93% of organizations have confirmed known exploited vulnerabilities in their Internet of Medical Things (IoMT) environments. Ransomware attacks against medical practices, multi-location clinics, and specialty groups surged 36% year-over-year in late 2025.

Water & Wastewater Sector

No new water-sector-specific incidents or advisories emerged during this reporting period, but the sector faces elevated risk from two converging developments. The Iran-aligned cyber escalation following Operation Epic Fury poses direct threats to water infrastructure: CyberAv3ngers, the IRGC-linked group sanctioned by the U.S. Treasury for previous attacks on Unitronics PLCs at U.S. water utilities, is among the most active actors in the current campaign. Unit 42 assessed CyberAv3ngers as the “highest-priority state-directed cyber actor” in the current conflict, and the group has a documented pattern of exploiting default credentials on programmable logic controllers and human-machine interfaces in water treatment facilities.

Simultaneously, the CISA operational constraints discussed below mean that proactive vulnerability scanning, security assessments, and stakeholder engagement programs that previously supported water utility cybersecurity have been suspended. With nearly 70% of inspected water utilities already found in violation of basic cybersecurity standards (per Senate testimony in week 08), and VOLTZITE/Volt Typhoon remaining embedded in U.S. water utilities (per Dragos reporting in week 09), the sector’s defensive posture is deteriorating at a time of heightened threat.

Energy & Power Grid

The Poland energy sector cyberattack (December 29, 2025) continued to generate significant analysis and policy response during this period. CISA’s February 10 advisory—which remained the agency’s most detailed OT-focused guidance document during this reporting week—identified three critical lessons from the incident: the continuing danger of end-of-life edge devices such as firewalls and VPN gateways, the persistence of default credentials as an entry point into OT environments, and the risk posed by OT devices lacking firmware verification capabilities that can be permanently damaged during an intrusion. The attack, attributed to either Sandworm/GRU or Berserk Bear/FSB depending on the source, targeted over 30 distributed energy resource sites and resulted in loss of view and control between facilities and distribution system operators, destruction of HMI data, and corrupted system firmware on RTUs.

The Labkotec LID-3300IP advisory (discussed above) has direct relevance to the energy sector: these ice detectors are deployed on wind turbines worldwide, and their compromise could disrupt the safety systems that wind farms depend on to protect both equipment and nearby populations from ice throw hazards. Combined with the ongoing EV charging OCPP vulnerability disclosures—which affect both the energy and transportation sectors—this week’s advisories underscore the expanding attack surface of distributed energy resources.

Manufacturing & Industrial

The Dragos 2026 OT/ICS Cybersecurity Year in Review, released February 17 with continued analysis through this reporting period, documented manufacturing as the sector bearing the heaviest burden of ransomware attacks, accounting for more than two-thirds of all victims across 3,300 affected organizations tracked by 119 ransomware groups in 2025—a 64% year-over-year increase. The average dwell time of 42 days in OT environments gives attackers extensive time to map control loops and understand physical processes before either deploying ransomware or conducting more targeted disruption.

Dragos identified three new OT-focused threat groups during 2025, with AZURITE emerging as a particular concern for manufacturing. The group focuses on long-term access and OT data theft, specifically targeting OT engineering workstations and exfiltrating operational data across manufacturing, defense, automotive, electric, and oil and gas sectors. This represents the adversary evolution that Dragos has been tracking: a shift from isolated device targeting to mapping entire industrial control systems, with multiple state-aligned groups now engaged in control-loop mapping that identifies engineering workstations and collects operational context for potential physical disruption.

The Mitsubishi MELSEC and Delta Electronics CNCSoft-G2 advisories issued this week directly affect manufacturing environments, adding to the cumulative vulnerability burden that saw 2,451 ICS vulnerability disclosures across 152 vendors in 2025—nearly double the 1,690 across 103 vendors in 2024.

Threat Intelligence Highlights

Iran-Aligned Cyber Escalation: Operation Epic Fury Aftermath

The most consequential geopolitical cyber development of 2026 unfolded during this reporting period. On February 28, the United States and Israel launched Operation Epic Fury, a coordinated strike campaign targeting Iran’s military command, missile infrastructure, and senior leadership. Within hours, Iran initiated a multi-vector retaliatory campaign that included a significant cyber dimension. Palo Alto Networks Unit 42 published a threat brief estimating roughly 60 hacktivist groups were active as of March 2, including pro-Iranian and pro-Russian collectives, many coordinated through the newly established “Electronic Operations Room” formed on February 28.

CyberAv3ngers—assessed by Unit 42 as the highest-priority state-directed cyber actor despite presenting as a hacktivist collective, and sanctioned by the U.S. Treasury for IRGC-CEC connections—represents the most direct threat to CPS and ICS environments. The group’s documented targeting of Unitronics PLCs in U.S. water utilities and its focus on programmable logic controllers and human-machine interfaces make it a persistent concern for all critical infrastructure operators. Handala, linked to Iran’s Ministry of Intelligence and Security, claimed compromises of an Israeli energy exploration company, Jordan’s fuel systems, and Israeli civilian healthcare targets. The deployment of WhiteLock ransomware against Israeli targets marked a return to state-sponsored ransomware as a tool for both disruption and financial gain.

Iran’s available internet connectivity dropped to 1–4% following the strikes, and Unit 42 assessed that this disruption—combined with reported degradation of leadership and command structures—is likely hindering the ability of state-aligned cyber units inside Iran to coordinate sophisticated attacks in the near term. However, pre-positioned access, diaspora-based operators, and the ecosystem of proxy hacktivist groups mean that the threat to critical infrastructure remains elevated.

CISA Operational Crisis: Leadership Change and Continued Constraints

CISA’s operational challenges deepened during this period. Acting Director Madhu Gottumukkala was reassigned to a senior strategy role at DHS, with Cybersecurity Executive Assistant Director Nick Anderson assuming the role of acting chief. The agency has lost approximately 1,000 staff members—roughly one-third of its workforce—under the current administration’s reduction programs, and the DHS shutdown that began February 14 continues. During the shutdown, only 888 of 2,341 employees are designated as excepted, working without pay to maintain critical functions: responding to imminent threats, sharing vulnerability information, maintaining the 24/7 operations center, and operating cybersecurity shared services. Strategic planning, development of new technical capabilities, cybersecurity assessments, and training exercises remain suspended. As CNBC reported on March 3, this operational degradation coincides with the most significant escalation of Iranian cyber threats to U.S. critical infrastructure in recent memory.

Defensive Recommendations

The Iran-aligned cyber escalation demands immediate attention from all critical infrastructure operators. Organizations should review CISA’s Iran threat advisories and Unit 42’s March 2026 threat brief, focusing on CyberAv3ngers’ known tactics: exploitation of default credentials on Unitronics and similar PLCs, targeting of internet-exposed HMIs, and use of VPN and firewall vulnerabilities for initial access. Change all default passwords on OT devices immediately, audit internet-facing OT assets, and implement network segmentation between IT and OT environments. Monitor for indicators of compromise published by Unit 42, CrowdStrike, and CISA’s Iran-specific advisory page.

Hitachi Energy RTU500 operators in electric utility environments should update CMU firmware to versions 12.7.8, 13.7.8, or 13.8.2 to address the IEC 60870-5-104 denial-of-service vulnerability (CVE-2026-1773) and libexpat flaws. Given the RTU500’s critical role in substation automation, schedule updates during planned maintenance windows and verify IEC 61850 communications after patching. Relion REB500 operators should update to version 8.3.3.1 and disable the Installer role except during firmware updates.

Mitsubishi MELSEC iQ-F FX5-ENET/IP operators should update to firmware version 1.107 to address the UDP-based denial-of-service vulnerabilities. For FX5-EIP modules where no patch is yet available, implement firewall rules to restrict UDP traffic to trusted sources only, and use IP filtering on the modules themselves.

Wind farm operators using Labkotec LID-3300IP ice detectors should upgrade to the Type 2 model with firmware V2.40, or at minimum isolate existing detectors from network access until remediation is complete. The critical CVSS 9.4 missing-authentication vulnerability means any network-accessible device can be remotely manipulated.

Delta Electronics CNCSoft-G2 users should update to version 2.1.0.39 and exercise caution with DPAX files from untrusted sources. Portwell Engineering Toolkits users should contact Portwell customer support for guidance, as the vendor has not cooperated with CISA coordination.

EV charging operators should continue the audit and remediation activities recommended in last week’s summary, now extended to cover ePower, Mobiliti, and Everon in addition to the six vendors previously disclosed.

Sources Referenced

Government Advisories & Directives

Threat Intelligence & Geopolitical Analysis

Automotive Security

Medical Device & Healthcare Security

CISA Operations

Web Search Discoveries