News Summary week 15, 2026

Executive Summary

The week’s dominant development was joint advisory AA26-097A, issued April 7 by the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command, warning that Iranian-affiliated CyberAv3ngers are actively exploiting internet-exposed Rockwell Automation PLCs across U.S. water, energy, and government sectors—with Censys identifying 5,219 exposed devices globally, 3,891 of them in the United States. CISA published five new ICS advisories including a critical missing-authentication vulnerability in GPL Odorizers GPL750 natural gas odorant injection systems that could allow attackers to manipulate safety-critical chemical dosing. In healthcare, a ransomware attack on Signature Healthcare in Brockton, Massachusetts forced ambulance diversions, cancelled chemotherapy treatments, and shut down electronic health records, with the Anubis ransomware group claiming responsibility. NERC issued an alert urging electric utilities to lower their thresholds for reporting suspicious activity amid the escalating Iranian campaign.

This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.

---

Week of April 3 – April 10, 2026

Critical Alerts & Advisories

The most consequential alert this week was AA26-097A, a joint advisory from six federal agencies and U.S. Cyber Command issued on April 7. The advisory disclosed that Iranian-affiliated actors linked to the Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC)—operating under the CyberAv3ngers persona and also tracked as Shahid Kaveh Group, Storm-0784, Bauxite, Hydro Kitten, and UNC5691—are actively exploiting internet-facing Rockwell Automation CompactLogix and Micro850 programmable logic controllers across U.S. critical infrastructure. What makes this campaign particularly insidious is its method: rather than exploiting zero-day vulnerabilities, the actors use Rockwell’s own legitimate engineering software, Studio 5000 Logix Designer, to establish accepted connections to exposed PLCs. Once inside, they deploy Dropbear SSH software on port 22 for persistent command-and-control, extract and modify PLC project files, and manipulate SCADA HMI display data so that operators see falsified process readings—creating a dangerous gap between what the system shows and what is actually happening in the physical process. CVE-2021-22681, an insufficiently protected cryptographic key vulnerability in Rockwell controllers, was added to CISA’s Known Exploited Vulnerabilities catalog in connection with this campaign.

Censys researchers quantified the exposure: 5,219 internet-facing hosts globally respond to EtherNet/IP on port 44818 and identify as Rockwell Automation/Allen-Bradley devices, with 3,891 (74.6%) located in the United States. Co-exposed services compound the risk—771 instances had VNC running (providing direct remote desktop access to HMI workstations), 292 had Modbus exposed, and 280 had Telnet active. The targeted sectors include water and wastewater systems, energy, and government services, with the campaign active since at least March 2026.

CISA published five ICS advisories across two releases this week, despite continuing to operate under a federal funding lapse that has reduced active staff. Two advisories were released on April 9 and three on April 2 (with the April 7 Mitsubishi advisory bridging the two).

The GPL Odorizers GPL750 advisory (ICSA-26-099-02), published April 9, stands out for its direct safety implications. The GPL750 series controls the injection of mercaptan and other odorants into natural gas pipelines—the chemical treatment that gives naturally odorless gas its distinctive smell, enabling leak detection. The vulnerability, a missing authentication for Modbus function codes, allows unauthenticated remote attackers to manipulate register values that control odorant dosing rates. Too little odorant and gas leaks become undetectable by smell; too much triggers false alarms or environmental contamination. The advisory covers multiple hardware variants (XL4, XL4 Prime, XL7, XL7 Prime) across a broad range of firmware versions, and GPL Odorizers has released updated software in conjunction with Horner Automation firmware updates.

The companion advisory for Contemporary Controls BASC-20T (ICSA-26-099-01) disclosed CVE-2025-13926, a CVSS 9.8 critical vulnerability in the BASControl20 building automation controller that allows attackers to enumerate PLC components, reconfigure devices, perform file transfers, and execute remote procedure calls by forging packets observed through network sniffing. Contemporary Controls has declared the BASC-20T obsolete and has no plans to issue a fix, leaving operators of legacy building automation systems without a vendor remediation path.

The Mitsubishi Electric GENESIS64 and ICONICS Suite advisory (ICSA-26-097-01), published April 7, addressed CVE-2025-14815 and CVE-2025-14816, cleartext storage vulnerabilities that expose SQL Server credentials in plaintext within local SQLite cache files. These HMI and SCADA visualization platforms are deployed in manufacturing, energy, and critical infrastructure environments worldwide. Mitsubishi is releasing version 10.98 with fixes.

The April 2 advisories for Siemens SICAM 8 (ICSA-26-092-01), Yokogawa CENTUM VP (ICSA-26-092-02), and Hitachi Energy Ellipse (ICSA-26-092-03) were first detailed in the week 14 summary, but organizations that have not yet acted should note that the Hitachi Energy Ellipse deserialization vulnerability (CVE-2025-10492, CVSS 9.8) remains under active exploitation and requires urgent patching for versions through 9.0.50.

Automotive CPS Security

The Automotive ISAC held its April 2026 community call under the theme “The AI Awakening of Automotive Cybersecurity,” exploring how artificial intelligence is reshaping both the attack surface and defensive capabilities across the connected vehicle ecosystem. The session drew on findings from monitoring hundreds of cyber incidents and tracking nearly 2,000 active threat actors, with a particular focus on how attackers are increasingly targeting backend systems and digital platforms rather than vehicles themselves. Upstream Security data shared during the discussion showed that 68% of incidents in 2025 involved data breaches, 92% were conducted remotely, and 61% had the potential to impact thousands to millions of mobility assets.

The GlassWorm supply chain campaign, first reported in week 14, continued to draw industry attention as VicOne and other automotive security firms highlighted its implications for connected vehicle software integrity. The campaign, which compromised 72 Visual Studio Code extensions, 88 npm packages, and 151 GitHub repositories using invisible Unicode characters to hide malicious payloads, raises fundamental concerns about the trustworthiness of open-source toolchains that automotive developers rely on for building software-defined vehicle platforms. Auto Connected Car News published analysis warning that the campaign represents “an unsettling new category of risk” for an industry that depends heavily on these same open-source ecosystems for everything from in-vehicle infotainment to autonomous driving software.

An ISO 15118 EV charging security flaw affecting millions of vehicles continued to generate discussion following its initial disclosure in late March. The vulnerability lies not in the standard itself but in widespread implementation shortcuts by charging infrastructure operators, where manufacturers prioritized deployment speed over robust authentication in the SLAC protocol that identifies which vehicle is connected to which charging station. Southwest Research Institute demonstrated that machine-in-the-middle attacks could manipulate or halt the charging process entirely.

Medical Device CPS Security

A ransomware attack on Signature Healthcare in Brockton, Massachusetts became the week’s most significant healthcare CPS incident. Suspicious activity was detected on April 6 on part of the hospital’s network, prompting officials to shut down systems and activate emergency protocols. The emergency room was placed on divert, with ambulances redirected to alternate facilities. Chemotherapy treatments were cancelled, pharmacies were unable to fill prescriptions, and the electronic medical record system and patient portal were taken offline. Staff resorted to large whiteboards to track patients and manage care in place of electronic bed-tracking systems. On April 9, the Anubis ransomware group claimed responsibility for the attack, though no patient data had been leaked as of the reporting period. The hospital is working with external cybersecurity experts, State Police, and the FBI.

The Stryker recovery continued to serve as a reference point for medical device cybersecurity discussions. The company confirmed full operational restoration following the March 11 attack attributed to the Iran-linked Handala group, which used a compromised Microsoft Intune administrator account to trigger simultaneous factory resets on devices across 79 countries. While Stryker maintained that no connected medical products were directly affected, the incident exposed how enterprise IT compromise at a major medical device manufacturer can ripple across the global healthcare supply chain through manufacturing and shipping disruptions.

Claroty’s discussion at RSAC 2026 with MultiCare Health System’s CISO highlighted a shift in the medical device security community toward exploitability management rather than attempting to remediate every vulnerability. With 89% of healthcare organizations operating connected medical devices containing known exploitable vulnerabilities, the industry is increasingly turning to tools like CISA’s KEV catalog and the Exploit Prediction Scoring System (EPSS) to prioritize the vulnerabilities that pose genuine exploitation risk, rather than chasing all 200,000-plus published CVEs.

Water & Wastewater Sector

The joint advisory AA26-097A has immediate and direct implications for the water sector. CyberAv3ngers have a documented history of targeting water and wastewater systems—their previous campaigns against Unitronics PLCs at U.S. water utilities led to Treasury Department sanctions—and the advisory explicitly names Water and Wastewater Systems as a targeted sector. The campaign’s ability to falsify HMI and SCADA display data is particularly dangerous in water treatment contexts, where operators rely on accurate readings of pressure, flow, temperature, and chemical balance to ensure safe drinking water. A technician viewing a falsified screen may believe treatment processes are operating normally while actual conditions diverge.

On April 8, CISA warned critical infrastructure providers that Iran-linked hackers had already disrupted U.S. infrastructure through PLC exploitation. NERC amplified the advisory, encouraging industry vigilance and lowered thresholds for sharing suspicious activity. The convergence of active Iranian targeting, over 5,000 exposed Rockwell PLCs, and the documented 70% cybersecurity deficiency rate among inspected water utilities creates a risk profile that demands immediate attention from municipal water operators nationwide.

Energy & Power Grid

NERC’s response to the AA26-097A advisory was swift and explicit. Vice President Kimberly Mielcarek confirmed that the organization’s Watch Operations team is “actively monitoring the grid” while coordinating with the Department of Energy, the Electricity Subsector Coordinating Council, and federal and provincial partners. The alert urged all energy sector participants to review the advisory and lower their reporting thresholds for suspicious cyber or physical security activity.

The Iranian campaign’s targeting of energy sector PLCs compounds existing concerns. Nearly 4,000 U.S. industrial control devices are exposed to this specific attack vector, and the campaign’s technique of deploying persistent SSH backdoors and manipulating SCADA displays could enable attackers to blind grid operators to actual system conditions during critical periods. The Center for Strategic and International Studies (CSIS) published analysis characterizing Iran’s posture as a shift from episodic cyberattacks to a sustained campaign against critical infrastructure, noting that the current geopolitical tensions have transformed what were previously one-off incidents into an ongoing operational tempo.

The utility sector’s ransomware exposure remained elevated following the 630% surge documented in March. DragonForce ransomware’s April 2 attack on Fernheizwerk Neukolln, a Berlin district heating provider, illustrated the continued international scope of energy sector targeting.

Manufacturing & Industrial

The Mitsubishi Electric GENESIS64 and ICONICS Suite vulnerability (ICSA-26-097-01) directly affects manufacturing environments where these HMI and SCADA visualization platforms manage production monitoring and control. The cleartext credential storage flaws (CVE-2025-14815 and CVE-2025-14816) could allow a local attacker to harvest SQL Server credentials and then access, modify, or destroy production data, or trigger denial-of-service conditions on manufacturing execution systems. Organizations using versions prior to 10.98 should update promptly or disable the local caching feature as an interim mitigation.

The Contemporary Controls BASC-20T advisory, while addressing an obsolete product, highlights a persistent challenge in manufacturing and building automation: legacy controllers that remain in production environments long after vendors discontinue support. The CVSS 9.8 vulnerability allows complete device takeover through packet forgery, and with no patch forthcoming, organizations must either replace the hardware or implement strict network segmentation to isolate these controllers.

Manufacturing continued to bear the heaviest ransomware burden, maintaining its position as the most targeted sector for the fourth consecutive month. The pattern established in Dragos’s 2026 OT Cybersecurity Year in Review—manufacturing accounting for more than two-thirds of all ICS ransomware victims—showed no signs of abating.

Threat Intelligence Highlights

The AA26-097A advisory represents a significant escalation in the Iranian cyber campaign against U.S. critical infrastructure. The progression from targeting Unitronics PLCs (relatively simple devices with well-known default credential issues) to exploiting Rockwell Automation controllers using legitimate engineering software demonstrates increasing sophistication and ambition. The use of Studio 5000 Logix Designer—the same tool that OT engineers use for legitimate operations—means that initial access creates connections indistinguishable from normal engineering activity, complicating detection.

The advisory’s disclosure that attackers are deploying Dropbear SSH for persistent access and actively manipulating HMI/SCADA displays to show false readings indicates the campaign has moved beyond reconnaissance into operational disruption. The falsification of process displays is a technique with direct physical safety implications: operators making decisions based on incorrect data could inadvertently cause unsafe conditions in water treatment, chemical processing, or energy distribution systems.

Censys’s exposure analysis underscored the systemic nature of the problem. Beyond the 5,219 directly exposed Rockwell PLCs, the co-location of VNC, Telnet, and Modbus services on the same hosts suggests that many facilities have multiple unprotected pathways into their operational technology environments. The geographic concentration—nearly 75% of exposed devices in the United States—aligns with the advisory’s focus on U.S. critical infrastructure as the primary target.

Defensive Recommendations

All organizations operating Rockwell Automation CompactLogix or Micro850 PLCs should immediately audit their internet-facing exposure and remove any direct internet access to these devices. Review CISA advisory AA26-097A for specific indicators of compromise, including unexpected Dropbear SSH deployments on port 22, unauthorized Studio 5000 connections, and discrepancies between HMI displays and actual field conditions. Implement network segmentation to isolate PLCs behind firewalls, disable unnecessary communication protocols, and establish out-of-band verification procedures for critical process readings.

Natural gas utilities operating GPL Odorizers GPL750 systems should apply the latest firmware updates from GPL Odorizers and Horner Automation, and implement Modbus authentication or network-level access controls to prevent unauthorized register manipulation. Given the safety-critical nature of odorant injection, verify current odorant levels through independent field measurement.

Organizations running Mitsubishi Electric GENESIS64 or ICONICS Suite should update to version 10.98 or later. As an interim measure, disable the local caching feature and delete existing cache files from C:\ProgramData\ICONICS\Cache*.sdf to remove stored plaintext credentials.

Healthcare organizations should review the Signature Healthcare incident as a current example of ransomware impact on hospital operations and ensure that manual care delivery procedures are documented, tested, and accessible. Verify that ambulance diversion protocols, paper-based patient tracking, and pharmacy operations can function independently of electronic systems.

Energy sector operators should heed NERC’s guidance to lower reporting thresholds and actively monitor for the specific Iranian TTPs described in AA26-097A. Verify that Rockwell engineering workstation access is limited to authorized personnel with multi-factor authentication, and audit engineering software connections for unexpected source addresses.

Water utilities should treat the AA26-097A advisory as directly relevant regardless of whether they operate Rockwell equipment, as the underlying patterns—internet-exposed PLCs, weak authentication, and insufficient monitoring—apply across all ICS vendors. Conduct immediate audits of internet-facing OT devices and implement the EPA’s recommended cybersecurity practices.

Sources Referenced

Government Advisories & Alerts

• AA26-097A: Iranian-Affiliated Cyber Actors Exploit PLCs Across U.S. Critical Infrastructure (CISA)
• ICSA-26-099-01: Contemporary Controls BASC 20T (CISA)
• ICSA-26-099-02: GPL Odorizers GPL750 (CISA)
• ICSA-26-097-01: Mitsubishi Electric GENESIS64 and ICONICS Suite (CISA)
• ICSA-26-092-01: Siemens SICAM 8 Products (CISA)
• ICSA-26-092-02: Yokogawa CENTUM VP (CISA)
• ICSA-26-092-03: Hitachi Energy Ellipse (CISA)

Threat Intelligence & Analysis

• Censys: Iranian-Affiliated APT Targeting of Rockwell/Allen-Bradley PLCs
• Picus Security: CISA Alert AA26-097A Analysis and Simulation
• CSIS: Iran Conflict Heightens Cyber Threats to U.S. Energy Infrastructure
• Industrial Cyber: Ongoing Cyberattacks Targeting Internet-Connected PLCs
• Bleeping Computer: Nearly 4,000 US Industrial Devices Exposed to Iranian Cyberattacks

Energy Sector

• Utility Dive: NERC Is Actively Monitoring the Grid Following Iran-Linked Cyber Threat
• Cybersecurity Dive: Iran-Linked Hackers Targeting Water, Energy in U.S.

Healthcare & Medical Devices

• HIPAA Journal: Signature Healthcare Brockton Hospital Cyberattack
• Boston Globe: Brockton Hospital Forced to Use Paper Records After Cyber Incident
• HIPAA Journal: Stryker Fully Operational After March Cyberattack
• Elisity: Medical Device Security 2026—From Vulnerability to Exploitability

Automotive Security

• Automotive ISAC: April 2026 Community Call—The AI Awakening of Automotive Cybersecurity
• Auto Connected Car News: GlassWorm Supply Chain Attack Threatens Connected Cars
• Upstream Security: 2026 Global Automotive Cybersecurity Report

Web Search Discoveries

• GBHackers: Iranian APT Alert—5,219 Rockwell PLCs Exposed Online
• Federal News Network: Agencies Warn Iranian-Linked Hackers Targeting Critical Infrastructure
• Windows News: GPL750 Modbus Missing Authentication Vulnerability
• SC World: Cyberattack Disrupts Massachusetts Hospital Operations
• Patrick Coyle: 2 Advisories and 1 Update Published – 4-9-26