Executive Summary
The week of May 15–22, 2026 brought two significant policy developments that together mark a potential turning point for water and wastewater sector security: the House Science, Space and Technology Subcommittee on Environment convened its first formal congressional hearing on water infrastructure cybersecurity on May 19 — the first such session since the CyberAv3ngers PLC campaign advisory was issued in early April — and the Government Accountability Office published GAO-26-109159 on May 21, documenting that the majority of U.S. water utilities operate decade-old control systems with outdated software, no dedicated cybersecurity staff, and protocols like Modbus TCP that offer zero authentication. CISA issued five new ICS advisories on May 19 and four more on May 21, covering embedded systems from Siemens, ABB, and ICONICS across industrial automation and building management. The Department of Energy’s Cybersecurity, Energy Security, and Emergency Response office formally released its five-year security plan for FY 2026–2030, and the House Energy Subcommittee advanced five bipartisan cybersecurity bills targeting grid and pipeline protection. The CyberAv3ngers PLC campaign, now entering its ninth week as a live CISA advisory, remained the dominant active threat context across water, wastewater, and energy operators.
This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.
Week of May 15–22, 2026
Critical Alerts & Advisories
ICS Advisories, May 19 and May 21
CISA issued two advisory batches during the week. The May 19 release (ICSA-26-139 series, five advisories) covered vulnerabilities in industrial automation and building management products from Siemens, ABB, and ICONICS. The May 21 batch (ICSA-26-141 series, four advisories) included additional Siemens product coverage along with advisories for WAGO and Mitsubishi Electric industrial controllers.
Among the May 19 advisories, the most operationally significant was ICSA-26-139-03, covering the ICONICS GENESIS64 and MobileHMI platforms. ICONICS products are deployed widely in building management systems, utility SCADA, and transportation infrastructure across the United States and Europe. The advisory disclosed an improper input validation flaw in the platform’s web services component that allows an unauthenticated remote attacker to inject arbitrary commands into the server process. The CVSS v4 score of 9.1 places it in the critical tier. ICONICS issued a patch in version 10.97.3; the advisory recommends isolating GENESIS64 web interfaces from direct internet exposure while patch deployment is scheduled. ICONICS was acquired by Mitsubishi Electric in 2010 and its HMI platform is deeply embedded in Mitsubishi’s smart building and factory automation offerings, meaning the blast radius of a successful exploitation extends well beyond standalone GENESIS64 installations.
ICSA-26-139-05 covered the ABB ASPECT Building Management System, a supervisory platform for HVAC, lighting, access control, and energy metering in commercial and industrial facilities. The advisory documented a stored cross-site scripting flaw in the ASPECT configuration interface combined with an insecure direct object reference that allows an authenticated user to access configuration data belonging to other tenants in multi-site deployments. In environments where ABB ASPECT manages security-adjacent building systems — access control relay scheduling, server room environmental monitoring — privilege escalation via the XSS chain carries implications beyond building management alone.
The May 21 WAGO advisory (ICSA-26-141-02) addressed a vulnerability in the WAGO PFC200 programmable field controller, a compact PLC widely used in panel and cabinet automation. The flaw is a heap buffer overflow in the CODESYS runtime that underlies the WAGO firmware, reachable via a malformed network request on the controller’s programming port. CODESYS-based heap overflows have a documented history of OT exploitation: the runtime underpins a large fraction of European programmable controller deployments, and vulnerabilities in the runtime layer apply across all vendors that license it rather than to a single manufacturer’s product. WAGO issued firmware 03.11.03 as the fix; the advisory recommends restricting programming-port access to authorized engineering workstations at the network level while patches are applied.
Mitsubishi Electric’s MELSEC iQ-R series PLCs received an advisory (ICSA-26-141-04) for a denial-of-service vulnerability reachable via a crafted Ethernet/IP packet. The iQ-R platform is the dominant Mitsubishi PLC in automotive manufacturing, food and beverage, and semiconductor production. A denial-of-service against a PLC running a production line is an operational disruption rather than a data breach, but in continuous manufacturing environments the recovery time from an unexpected PLC halt — particularly where the restart procedure requires manual intervention — translates directly to production loss. Mitsubishi recommends enabling IP filter functionality in the iQ-R engineering software as a mitigation while patches are prepared.
Automotive CPS Security
The week’s primary automotive security development was not a new vulnerability disclosure but an accelerating policy reality: Open Charge Point Protocol (OCPP) compliance for EV charging infrastructure transitioned from a competitive differentiator to an effective procurement requirement across multiple U.S. state programs administering National Electric Vehicle Infrastructure (NEVI) formula funds. States including California, Texas, and New York updated their NEVI compliance guidance during the week to require demonstrated OCPP 2.0.1 certification for new charger installations, with OCPP 1.6 deployments flagged for remediation planning.
The security significance of OCPP 2.0.1 compliance is not incidental. The protocol revision introduced transport-layer security requirements, certificate-based device authentication, and standardized security event logging that were absent in OCPP 1.6 — the version running on the majority of the existing U.S. charging network. Every EV charger that connects to a central management system over 1.6 without additional TLS wrapping represents an unauthenticated control channel reachable from the internet: an attacker with access to that channel can modify charging parameters, disable chargers in coordinated denial-of-service attacks against charging corridors, or push malicious firmware to the charge point management controller. The Pwn2Own Automotive 2026 event in January demonstrated full compromise of chargers from three manufacturers using precisely this attack path.
The National Renewable Energy Laboratory published guidance during the week on minimum cybersecurity requirements for federally funded EV charging infrastructure, incorporating lessons from the January zero-day disclosures. The NREL guidance explicitly recommends that state procurement language require vendors to provide a Software Bill of Materials (SBOM) for all charger firmware components, establish a coordinated vulnerability disclosure program, and commit to a defined patch delivery timeline — mirroring the FDA’s requirements for connected medical devices and reflecting a broader trend toward treating internet-connected physical infrastructure with the same software supply-chain scrutiny previously reserved for enterprise IT.
Medical Device CPS Security
No FDA device-specific cybersecurity advisories were published in the May 15–22 window. The primary medical device security development of the week was a detailed analysis published by Claroty Team82 examining deployment patterns for legacy infusion pump systems in U.S. hospital networks. The analysis, drawing on data from over four hundred healthcare facility networks, found that Baxter SIGMA Spectrum and BD Alaris pumps manufactured before 2019 remain in active clinical use at seventy-one percent of surveyed facilities, despite both product lines having unresolved vulnerabilities in their wireless firmware management interfaces. Neither vendor has committed to a patch timeline for the affected legacy firmware versions, and replacement cycles at the surveyed facilities average eight to twelve years.
The practical implication for hospital security teams is a persistent unpatched attack surface in the most safety-critical device category in the clinical environment. Infusion pumps operating on clinical Wi-Fi networks alongside modern networked monitors and nursing station workstations represent an OT/IT convergence problem that hospital security operations centers are frequently not staffed to address: the clinical network monitoring required to detect anomalous pump behavior requires specialized OT security tooling that most hospital SOC platforms do not include. Claroty’s recommendation — network segmentation that prevents unauthenticated lateral reach from clinical Wi-Fi segments to pump management interfaces — is architecturally straightforward but requires coordination between facilities management, clinical engineering, and information security teams that many hospital organizations have not yet institutionalized.
The ongoing recovery at West Pharmaceutical Services, which disclosed its Nitrogen ransomware attack in the prior week, continued to affect sterile packaging supply chains through May 22. West disclosed in an updated regulatory filing that exfiltration had been confirmed and that some customer-confidential manufacturing specifications were among the stolen data. Pharmaceutical manufacturers dependent on West for sterile vial and syringe component supply were advised by the company to engage alternative qualified suppliers through procurement teams.
Water & Wastewater Sector
Congressional Hearing and GAO Report
The House Science, Space and Technology Subcommittee on Environment held its first dedicated water infrastructure cybersecurity hearing on May 19, marking the first formal congressional attention to the sector’s cybersecurity posture since CISA issued advisory AA26-097A on the CyberAv3ngers PLC campaign in early April. Witnesses included CISA’s Deputy Executive Assistant Director for Cybersecurity, the EPA’s Associate Administrator for Water, a representative from the American Water Works Association, and an independent OT security researcher with experience conducting vulnerability assessments at municipal water utilities.
The hearing produced no immediate legislation but established a public record on the sector’s structural vulnerabilities. Testimony confirmed that the CyberAv3ngers campaign, which targets internet-exposed Rockwell Automation Allen-Bradley EtherNet/IP devices in water, wastewater, and energy facilities, remains active and that a significant fraction of affected utilities have not yet completed the EPA-recommended remediation of removing these devices from internet-routable network segments. The AWWA representative testified that for utilities serving under ten thousand connections — approximately eighty percent of U.S. water systems — the technical personnel required to execute network segmentation changes often do not exist in-house, and that external contractors with OT networking expertise are both expensive and in short supply.
Two days after the hearing, the GAO published GAO-26-109159, a fifty-seven page examination of water and wastewater cybersecurity that arrived with the credibility of an independent federal audit. The report’s central finding is that the sector’s cybersecurity posture is structurally mismatched to its threat environment in ways that cannot be resolved through advisory issuance or training alone. The GAO documented that water utilities’ SCADA systems average twelve to eighteen years of age, with many running Windows versions no longer supported by Microsoft and automation firmware that vendors actively discourage operators from patching due to proprietary software integration dependencies. The Modbus TCP protocol, which provides zero authentication — any device reaching TCP port 502 can read and write coils and registers controlling pumps, valves, chemical dosing systems, and safety interlocks — remains the communication standard at the majority of surveyed utilities’ field device layers. The GAO recommended that EPA develop a formal risk-tiering methodology for the sector and that Congress consider funding a technical assistance program specifically targeting utilities serving populations under fifty thousand that lack the budget and personnel for independent OT security programs.
CyberAv3ngers Campaign, Week Nine
The CyberAv3ngers PLC campaign entered its ninth week as a live CISA advisory. WaterISAC continued daily bulletin amplification, and CISA’s weekly operational update confirmed that new notifications were issued to utility operators whose Allen-Bradley EtherNet/IP devices remain internet-accessible. The May 19 congressional hearing testimony suggested that the pace of remediation is constrained by the same workforce and budget limitations the GAO documented: utilities that can take the remediation action in-house have largely done so, while those lacking the technical capacity continue to operate exposed devices despite awareness of the advisory.
Energy & Power Grid
Department of Energy Five-Year Security Plan
The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) formally published its FY 2026–2030 strategic plan during the week, articulating a three-axis framework: developing security technologies suitable for deployment at resource-constrained utilities, hardening existing energy infrastructure against known attack vectors, and establishing emergency preparedness capabilities for scenarios involving coordinated attacks on grid components. The plan explicitly references the December 2025 ELECTRUM attack against Poland’s distributed energy resources as a scenario shaping the planning framework — the first time DOE has formally cited a specific foreign infrastructure attack in a strategic planning document.
The $160 million CESER budget allocation announced in late April provides the funding foundation for the first two axes. The third axis — emergency preparedness — overlaps with CISA’s CI Fortify initiative and focuses specifically on the ability to operate critical generation and transmission assets in an internet-isolated state during a geopolitical crisis scenario involving coordinated cyberattacks on grid management infrastructure. For energy operators, the practical implication of the plan is that DOE and CESER grant programs over the next five years will prioritize projects that demonstrate measurable improvement in OT-specific detection and response capabilities, with a preference for technology deployable at utilities that cannot staff a dedicated OT security team.
House Energy Security Bills
The House Energy Subcommittee on Energy advanced five bipartisan cybersecurity bills during the week, each targeting a specific segment of the grid and pipeline security gap. The bills cover mandatory incident reporting timelines for transmission operators, a voluntary certification program for distribution automation equipment, funding for state energy offices to conduct OT security assessments at rural electric cooperatives, requirements for liquefied natural gas terminal operators to maintain documented cybersecurity plans, and a study mandate on AI-assisted grid management security risks. The five bills now advance to the full Energy and Commerce Committee. Whether the package can survive the full committee and floor process in the current legislative environment remains uncertain, but the bipartisan advancement from subcommittee represents the furthest this class of energy security legislation has progressed since the 2021 American Rescue Plan cybersecurity provisions.
The 69% year-over-year increase in weekly cyberattacks against utilities — tracked across H1 2024 compared to H1 2023 — continued to be cited in briefing materials throughout the week as the baseline quantification of urgency behind the legislative effort.
Manufacturing & Industrial
CIRCIA Final Rule
CISA is expected to publish the final rule implementing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) before the end of May, creating the first comprehensive federal mandatory cyber incident reporting framework for covered entities. The rule will require critical infrastructure operators — including manufacturers meeting the sector-specific thresholds for “covered entities” — to report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. For industrial organizations accustomed to voluntary disclosure norms and insurance-driven incident response timelines, the mandatory reporting window represents a significant operational change: it requires that the initial incident assessment sufficient to determine reportability be completed within the first day of a disruption, often before the full scope of the intrusion is known.
The manufacturing sector’s sustained ransomware exposure context gives the CIRCIA timing added weight. Dragos’s OT threat landscape reporting documents that manufacturing absorbed twenty-six percent of all global industrial ransomware incidents in 2025, with average OT dwell time of forty-two days before discovery — a timeline fundamentally incompatible with the 72-hour reporting requirement unless organizations invest in OT-specific detection capabilities that can surface ransomware activity before it reaches the encryption phase.
ATG System Breaches Under Investigation
U.S. authorities continued to investigate breaches of automatic tank gauge (ATG) systems at fuel storage facilities across multiple states. ATG systems manage fuel inventory measurement, leak detection, and overfill prevention at gas stations, fuel terminals, and emergency generator installations. The systems typically run embedded firmware on IP-connected controllers exposed to the internet for remote monitoring by fuel supply chain operators, and many deployments use default or unchanged factory credentials. The breach investigation, first reported in late April and continuing through the week, has identified unauthorized access to ATG controllers at facilities across at least twelve states. No evidence of physical manipulation of fuel systems has been established, but the access patterns suggest systematic credential-based reconnaissance rather than opportunistic exploration — a finding consistent with pre-positioning rather than immediate operational intent.
The ATG breach investigation is notable in a CPS context because it involves a category of device that sits at the boundary of logistics infrastructure and physical safety systems: overfill prevention and leak detection failures at fuel storage facilities carry direct environmental and fire-safety consequences. The Cybersecurity and Infrastructure Security Agency issued a technical advisory during the week recommending that ATG operators immediately change default credentials, disable internet exposure where not operationally required, and enable access logging.
Threat Intelligence Highlights
Dragos’s 2026 OT Cybersecurity Year in Review, actively referenced throughout the week in industry discussions, documented three newly tracked threat groups with distinct OT targeting profiles. SYLVANITE acts as an initial access broker for OT environments, handing established footholds to other groups — most notably VOLTZITE, the Volt Typhoon-adjacent group with documented pre-positioning in U.S. energy and water infrastructure — for deeper intrusion development. PYROXENE is assessed with moderate confidence to have deployed destructive wiper malware against critical infrastructure during a regional conflict, representing the leading edge of wiper-as-OT-disruption-tool in active deployment. AZURITE, assessed to share OT targeting capabilities with Flax Typhoon, has conducted sustained operations across U.S., European, and Asia-Pacific critical infrastructure targets.
The structural picture these groups collectively paint is consistent with the threat model behind CISA’s CI Fortify initiative: multiple nation-state actors are simultaneously developing and maintaining pre-positioned access in critical infrastructure, with the intent to convert pre-positioning to operational disruption during a geopolitical crisis. SYLVANITE’s broker role is particularly concerning because it means that detection of initial access in an OT-adjacent environment does not necessarily identify the ultimate threat actor or their objectives — the entity that established the foothold may have already transferred it to a more capable group before the initial compromise is discovered.
The CyberAv3ngers and MuddyWater Iranian nexus continued as an active intelligence thread. The MuddyWater false-flag operation documented in earlier reporting — posing as a Chaos ransomware actor in critical infrastructure espionage campaigns — remains relevant context for incident response teams encountering apparent ransomware behavior in OT-adjacent environments. Indicators that appear to point to financially motivated ransomware should be treated as insufficient to rule out state-sponsored espionage activity until attribution is positively established.
Defensive Recommendations
Organizations with ICONICS GENESIS64 or MobileHMI deployments should treat ICSA-26-139-03 as the highest-priority patch action from this week. The unauthenticated remote command injection at CVSS 9.1 is exploitable from any network that can reach the GENESIS64 web services interface, which in building management and utility SCADA deployments is often a segment accessible from corporate IT networks. Apply version 10.97.3 and, as an immediate interim measure, enforce network access controls that limit web services exposure to authorized engineering and operator workstations only.
WAGO PFC200 operators should apply firmware 03.11.03 to address the CODESYS heap overflow (ICSA-26-141-02). Given that the flaw is in the shared CODESYS runtime rather than WAGO-specific code, organizations should also audit their exposure to other CODESYS-based PLC deployments from other vendors and check for pending advisories across that vendor set. The programming port should be restricted at the network level to authorized engineering hosts regardless of patch status.
Mitsubishi MELSEC iQ-R operators should enable IP filter functionality in the iQ-R engineering software immediately as a mitigation for ICSA-26-141-04. In automotive and semiconductor manufacturing environments where iQ-R PLCs control continuous production processes, the denial-of-service risk is operational rather than merely theoretical. Network access to the EtherNet/IP port should be limited to the control network segment and explicitly blocked from IT-adjacent network zones.
Water and wastewater operators who have not yet completed CyberAv3ngers remediation under advisory AA26-097A should treat the May 19 congressional hearing testimony as an indicator that regulatory follow-up is now more likely than not. The EPA’s remediation outreach is shifting from advisory to enforcement posture, and the GAO’s formal audit record of the sector’s vulnerability provides the evidentiary foundation for sector-specific regulatory action. Utilities that cannot execute the remediation in-house should request technical assistance through WaterISAC’s peer support network or CISA’s free in-person assessment program.
Organizations subject to CIRCIA reporting requirements should use the period before the final rule’s publication to validate that their incident response playbooks can produce a reportable assessment within 72 hours of initial detection. In OT environments where the incident classification process involves multiple teams — plant operations, IT security, legal, and executive leadership — the 72-hour window requires that notification chains and decision authorities be pre-established rather than negotiated during an active incident.
ATG operators should treat the ongoing breach investigation as a credentialing audit trigger: rotate all ATG controller credentials immediately, audit internet exposure, and confirm that leak detection and overfill prevention subsystems have independent physical failsafes that cannot be disabled via the networked controller interface.
Sources Referenced
Government Advisories & Alerts
- ICSA-26-139-03: ICONICS GENESIS64 and MobileHMI (CISA)
- ICSA-26-139-05: ABB ASPECT Building Management System (CISA)
- ICSA-26-141-02: WAGO PFC200 CODESYS Runtime (CISA)
- ICSA-26-141-04: Mitsubishi Electric MELSEC iQ-R (CISA)
- ICS Advisories Listing (CISA)
- Advisory AA26-097A: CyberAv3ngers PLC Campaign (CISA)
- CI Fortify Initiative (CISA)
Government Reports & Legislation
- Cybersecurity of Critical Water Infrastructure – GAO-26-109159 (U.S. GAO)
- DOE CESER FY 2026-2030 Strategic Plan (Department of Energy)
- Five Bills to Boost Energy Sector Cyber Defenses Clear House Panel (SecurityWeek)
- House Subcommittee Hearing: Water Infrastructure Cybersecurity (House Science, Space and Technology Committee)