News Summary week 19, 2026

CISA launched the CI Fortify initiative on May 5 – landmark guidance requiring critical infrastructure to plan for isolated operation through geopolitical cyber conflicts – while publishing five ICS advisories covering ABB B&R Automation Studio and Runtime, Hitachi Energy PCM600, B&R PVI client, and MAXHUB Pivot Client; Forescout simultaneously released research flagging a record spike in high-severity OT/ICS flaws driven by a dangerous visibility gap between disclosed CVEs and published advisories.
threat-intelligence
ICS
CPS
automotive
medical-devices
Published

May 9, 2026

Executive Summary

The week of May 1–8, 2026 was anchored by two parallel developments that together define the current strategic moment in CPS security: a major new defensive posture framework from CISA, and fresh research quantifying just how badly current defenses are outpaced by disclosure volume. On May 5, CISA published the CI Fortify guidance, which for the first time formally asks every critical infrastructure sector — water, energy, transportation, healthcare — to plan, practice, and be capable of operating with telecommunications and internet dependencies severed. The same day, CISA published four ICS advisories covering ABB B&R Automation Suite and Hitachi Energy PCM600, with a fifth advisory following on May 7 for the MAXHUB Pivot collaboration platform.

Forescout’s research published this week provided structural context for why CI Fortify is urgent: CISA published 508 ICS advisories covering 2,155 CVEs in 2025 alone, and 61% of high- or critical-severity vulnerabilities affecting ICS products still lack a corresponding CISA advisory, meaning asset owners have no automatic channel through which to learn they are exposed. Together, these developments point toward a threat environment where the advisory system — the bedrock of patch-and-mitigate cycles — cannot keep pace with the vulnerability surface.

The CyberAv3ngers PLC campaign (AA26-097A) continued to drive elevated monitoring posture across water, energy, and government sectors, now entering its seventh week as a live active-threat advisory.

This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.

Week of May 1–8, 2026

Critical Alerts & Advisories

CISA CI Fortify: Guidance for Geopolitical Cyber Conflict

On May 5, 2026, CISA published the CI Fortify guidance document and launched a supporting initiative under the same name. The guidance represents a significant shift in doctrine: rather than emphasizing prevention and patch cycles, CI Fortify asks critical infrastructure entities across all sixteen CISA-designated sectors to develop, test, and regularly exercise capabilities to operate in full isolation — disconnected from internet services, cloud platforms, telecommunications providers, and third-party technology vendors.

The framework organizes requirements around two capabilities. Isolation requires organizations to identify every external dependency in their operational environment and pre-plan the manual or airgapped procedures that would replace each dependency if severed under attack. Recovery requires documented system configurations, offline backups of critical files and historian data, and tested procedures for replacing or transitioning individual systems to manual control if isolation fails and components are rendered inoperable. CISA’s guidance uses the phrase “geopolitical crisis” explicitly, framing the target scenario as a nation-state adversary that deliberately degrades both the operational system and the communications infrastructure the organization would use to coordinate a response.

The practical implication for OT environments is significant. Many ICS deployments have moved toward cloud-connected historian, HMI, and asset management platforms over the past decade. CI Fortify asks operators to treat those cloud dependencies as single points of failure and to maintain fallback procedures for every one of them. CISA referenced the Canadian Centre for Cyber Security’s advisory AV26-417 as a parallel international effort, noting that the Five Eyes partners are aligned on the strategic posture underlying the guidance.

Water utilities, hospitals, and smaller municipal energy operators are the segments most likely to lack documented isolation playbooks. CISA committed to publishing sector-specific CI Fortify annexes throughout the remainder of 2026.

May 5 Advisory Batch: ABB B&R and Hitachi Energy

CISA published four ICS advisories on May 5 covering three distinct product families from two vendors, all relevant to OT and engineering workstation environments.

ICSA-26-125-01: Hitachi Energy PCM600 addresses a path traversal vulnerability in the PCM600 Protection and Control IED Manager, the engineering workstation software used to configure intelligent electronic devices in power substations and distribution automation environments. The flaw, assigned CVE-2018-1002208 with a CVSS v4 score of 7.3 (High), exists in the SharpZipLib archive extraction library bundled with PCM600. A crafted ZIP archive can direct file writes to arbitrary paths on the workstation via the classic Zip Slip technique, where a ../ sequence in a ZIP entry filename escapes the intended extraction directory. Exploitation requires user interaction — an engineer must open a malicious project archive — but no authentication is required, and social engineering of engineers through plausible-looking project file attachments is a well-established ICS attack vector. Affected versions include all PCM600 Legacy releases through 2.11 and PCM600 3.0 through 3.1 SP3. PCM600 is globally deployed at power generation facilities, transmission substations, and distribution automation sites that rely on ABB and Hitachi Energy protection relay products. Organizations should apply the Hitachi Energy patch and treat externally sourced PCM600 project files as untrusted inputs.

ICSA-26-125-02: B&R PVI Client covers an information disclosure vulnerability in the B&R Process Visualization Interface client software, which serves as the engineering and runtime interface for B&R PLC and motion controller installations. The flaw — an insertion of sensitive information into a log file — allows an authenticated local attacker to read credential material from PVI client log files. While exploitation requires local access, shared engineering workstations in OT environments frequently have multiple users, and workstations compromised via initial IT intrusion give attackers local access without physical presence. The logging function responsible for the disclosure is disabled by default; organizations that have enabled verbose logging for troubleshooting purposes are most exposed. Updated to versions prior to 6.5 addresses the issue.

ICSA-26-125-03: ABB B&R Automation Runtime addresses a denial-of-service vulnerability (CVE-2025-11044) in the B&R Automation Runtime, the real-time operating environment that executes PLC programs on B&R hardware controllers deployed in manufacturing, packaging, and process automation environments. An unauthenticated attacker with network access to the ANSL server port can send a crafted packet that triggers a crash, halting the runtime and causing any process controlled by the affected PLC to stop. The vulnerability results from insufficient throttling and input limiting in the ANSL Server component. Given that Automation Runtime directly manages machine motion, conveyor logic, and process control outputs, an unauthenticated crash trigger from the plant network represents a meaningful disruption risk. Remediated versions are Automation Runtime 6 at 6.5 or later, and Automation Runtime 4 at R4.93 or later.

ICSA-26-125-04: ABB B&R Automation Studio covers a man-in-the-middle vulnerability (CVE-2025-11043) in B&R Automation Studio, the IDE and engineering tool used to develop, configure, and commission B&R PLC programs. Automation Studio performs improper TLS certificate validation when establishing connections to controllers via ANSL over TLS and via OPC-UA. An attacker with network access to the path between the engineering workstation and the controller can intercept and potentially modify traffic, masquerading as a trusted target system. The consequence in an OT context is that a compromised network segment could allow an attacker to feed manipulated engineering data to Automation Studio, potentially leading engineers to make configuration changes based on falsified controller state. The fix modifies the ANSL and OPC-UA client certificate validation logic. Organizations should update Automation Studio to version 6.5 or later before their next engineering session.

May 7 Advisory: MAXHUB Pivot Client (ICSA-26-127-01)

On May 7, CISA published ICSA-26-127-01 covering a cryptographic weakness in the MAXHUB Pivot collaboration platform client application. The vulnerability — a hardcoded AES encryption key embedded in the application binary — allows any party who decompiles or reverses the client to decrypt tenant email addresses and associated metadata extracted from the platform. Prior to version v1.36.2, an attacker who queries MAXHUB Pivot’s API can obtain encrypted tenant identifiers and, using the hardcoded key, decrypt them to enumerate valid tenant email addresses. While MAXHUB Pivot is primarily a meeting room and enterprise collaboration tool rather than an OT product, it is deployed in operational environments including manufacturing facilities and utilities that use it for cross-functional meetings and shift handover communications. Credential enumeration through tenant email disclosure can facilitate phishing and credential stuffing campaigns targeting operational staff. Organizations should update Pivot clients to v1.36.2 or later.

Automotive CPS Security

No new zero-day disclosures or incident reports specific to automotive systems were published during the May 1–8 window. The dominant trend in automotive cybersecurity this week remained the structural issue documented in VicOne’s 2026 Automotive Cybersecurity Report, released earlier this spring: incidents increasingly span entire organizations rather than isolated vehicle systems, and the convergence of in-vehicle software, cloud backend services, and fleet management platforms means a single supply-chain or API compromise can affect large numbers of vehicles simultaneously.

The MAXHUB Pivot advisory (ICSA-26-127-01) has peripheral relevance to automotive environments: connected vehicle development labs and OEM engineering centers commonly deploy collaboration platforms for cross-team engineering work, and tenant email enumeration vulnerabilities in these tools can serve as reconnaissance input for targeted phishing against automotive security engineers and OTA update infrastructure administrators.

The Pwn2Own Automotive 2026 figures cited in earlier reporting — 76 zero-days, $1,047,000 awarded, with EV chargers from multiple manufacturers exploited — continued to be cited as baseline context in automotive security briefings throughout the week.

Medical Device CPS Security

Forescout published research this week documenting 162 vulnerabilities across connected medical devices, drawing from an analysis of devices observed across healthcare networks. The research identified gaps between vendor-disclosed vulnerabilities and the corresponding availability of CISA ICS advisories, mirroring the broader OT visibility gap quantified in Forescout’s ICS advisory analysis. Healthcare organizations relying solely on CISA advisories for vulnerability awareness may be unaware of a significant portion of their exposed device surface.

The FDA’s enforcement posture under Section 524B of the FD&C Act continued to generate industry activity this week. The guidance — which requires manufacturers to submit Security Risk Management Reports, Software Bills of Materials, and Coordinated Vulnerability Disclosure programs with premarket submissions — is now shaping procurement conversations at hospital systems that have begun requiring demonstrated Section 524B compliance from vendors as a condition of device purchase. Healthcare cybersecurity teams reported increasing friction in procurement reviews for legacy devices whose manufacturers have not yet developed disclosure programs or SBOM tooling.

The MITRE analysis from late April, warning that cloud-dependent medical devices represent a systemic single-point-of-failure risk when cloud infrastructure is attacked, continued to be circulated in healthcare security briefings during the week.

Water & Wastewater Sector

The CyberAv3ngers PLC campaign (AA26-097A) entered its seventh week as a live active-threat advisory, continuing to define the water sector’s primary security posture. WaterISAC maintained daily bulletin amplification of the advisory throughout the week. The EPA continued outreach to state drinking water primacy agencies on the removal of Rockwell/Allen-Bradley EtherNet/IP devices from internet-routable segments.

The CI Fortify guidance published May 5 is directly applicable to water utilities, which face a specific challenge: many smaller utilities have moved toward cloud-connected SCADA and asset management systems as a cost-effective alternative to on-premises infrastructure, but lack the staffing or documentation to execute a manual fallback if cloud connectivity is severed under attack. CISA’s CI Fortify team identified water utilities as a priority sector for the planned sector-specific annexes.

No new water sector-specific incidents were reported during the May 1–8 period beyond the continuation of the Iranian-affiliated PLC campaign.

Energy & Power Grid

The Hitachi Energy PCM600 advisory (ICSA-26-125-01) is the most directly relevant energy sector advisory from the week. PCM600 is the primary engineering tool for configuring ABB and Hitachi Energy protection relays and IEDs in transmission substations and distribution automation installations globally. A Zip Slip exploitation requiring only a plausible-looking engineering project file to be opened gives adversaries a realistic initial access path into substation engineering workstations, from which lateral movement toward EMS or DMS systems is possible in environments where workstation network segmentation is insufficiently enforced.

The ABB B&R Automation Runtime DoS (CVE-2025-11044) also affects energy sector installations where B&R hardware is deployed in generation facility control rooms, compressor stations, and balance-of-plant automation.

The CI Fortify guidance carries specific implications for energy operators. Transmission and distribution control centers that rely on cloud historian and OT monitoring platforms should document and exercise the manual fallback procedures for each external dependency, including data aggregation, alarm management, and outage coordination workflows.

The DOE’s $160 million cybersecurity allocation to CESER (Office of Cybersecurity, Energy Security, and Emergency Response), publicized in late April and remaining under active discussion this week, reflects the federal investment backing CI Fortify and related energy sector resilience programs.

Manufacturing & Industrial

The ABB B&R advisory batch (ICSA-26-125-02 through -04) is most directly relevant to manufacturing environments, where B&R Automation Runtime and Automation Studio are widely deployed for machine control and production line automation. An unauthenticated crash trigger against Automation Runtime on an accessible ANSL port is a realistic disruption vector in flat OT/IT network environments where plant-floor controllers share network segments with engineering workstations and production management systems.

Forescout’s data this week reinforced the structural challenge: 82% of ICS advisories published in 2025 were rated high or critical severity, yet 61% of high- and critical-severity vulnerabilities affecting ICS products still lack an associated CISA advisory. For manufacturing operators who rely on advisory feeds as their primary vulnerability awareness mechanism, this gap means that a substantial portion of their controller and automation suite exposure is invisible through standard channels. Continuous OT asset discovery and direct vendor advisory subscriptions are necessary supplements.

The OPSWAT report published in the period surrounding this week documented that every OT breach in their dataset had at least one file transfer event in the attack chain — USB media, email attachments, or file shares — reinforcing the relevance of the PCM600 Zip Slip flaw, which specifically exploits the file-opening behavior of engineering workstations.

Threat Intelligence Highlights

Forescout’s ICS advisory analysis, released around this period, provides the most significant threat intelligence development of the week from a structural standpoint. The research found that between March 2010 and January 2026, CISA published 3,637 ICS advisories covering 12,174 vulnerabilities across 2,783 products from 689 vendors. The acceleration is striking: from 67 advisories in 2011 to 508 in 2025. But the more operationally significant finding is the visibility gap — the majority of high- and critical-severity CVEs affecting ICS products are not covered by a corresponding CISA advisory, meaning asset owners have no centralized alert and must actively monitor vendor bulletin feeds to maintain situational awareness. Routers and network infrastructure devices surpassed traditional endpoints as the riskiest device class in the connected OT environment, with routers and switches averaging nearly 32 vulnerabilities per device.

The Iranian-affiliated threat cluster — coordinated through the Electronic Operations Room structure documented by Palo Alto Unit 42 in April, encompassing CyberAv3ngers, Handala, and at least one additional group — remained on elevated posture. No new major Iranian-attributed CPS incidents were reported during May 1–8, but the structural conditions that produced the PLC campaign (internet-exposed PLCs with no vendor patch for the exploited CVE) remain unchanged.

The Canadian Centre for Cyber Security’s advisory AV26-417, published this week, aggregated the week’s CISA ICS advisories for Canadian critical infrastructure operators, providing a parallel advisory channel for organizations operating across North American interconnected systems.

Defensive Recommendations

Organizations running Hitachi Energy PCM600 should apply the vendor patch addressing CVE-2018-1002208 immediately and treat all externally sourced PCM600 project files — including those received by email or downloaded from file sharing services — as untrusted inputs requiring verification before opening. Engineers should be briefed on the social engineering risk: a maliciously crafted project file is indistinguishable from a legitimate one without verification procedures. Workstations running PCM600 should be isolated from general corporate networks and have outbound file-write monitoring enabled.

Organizations using ABB B&R Automation Studio should update to version 6.5 or later before the next engineering session that involves live connections to production controllers. Until patching is complete, engineering workstations should only connect to controllers over network paths that are not accessible to untrusted hosts. The man-in-the-middle risk from CVE-2025-11043 requires network-layer control in addition to the software patch, since an attacker already on a network segment could intercept engineering traffic before the workstation update is applied.

B&R Automation Runtime operators should update to 6.5 or R4.93 as applicable. Until patching is complete, the ANSL Server port should be restricted via host-based firewall or network ACL to permit connections only from authorized engineering workstations. Unauthenticated DoS vulnerabilities in PLCs require network access controls as the primary short-term mitigation.

B&R PVI client users who have enabled verbose logging for troubleshooting purposes should update to v6.5 or later, clear existing log files, and restrict log directory permissions to privileged accounts only.

All critical infrastructure operators should review the CI Fortify guidance published by CISA on May 5 and begin the following actions: inventory every cloud and internet-dependent service in the OT environment; document the manual or offline procedure that would replace each service if severed; assign responsibility for maintaining those procedures; and schedule a tabletop exercise in Q3 or Q4 2026 to test the isolation and recovery playbooks under realistic time pressure. The guidance is publicly available at the CISA CI Fortify page and the planning framework applies regardless of sector.

Organizations relying solely on CISA ICS advisories for OT vulnerability awareness should establish direct vendor advisory subscriptions for every ICS product in their environment as a matter of urgency. Forescout’s data showing that 61% of high- and critical-severity ICS CVEs lack a corresponding CISA advisory means that advisory-only monitoring misses the majority of serious vulnerabilities. Asset inventory tools capable of correlating deployed firmware versions against NVD entries provide broader coverage than advisory feeds alone.

Sources Referenced

Government Advisories & Alerts

CI Fortify Coverage

Advisory Technical Analyses

Forescout Research

OT/ICS Threat Landscape