News Summary week 25, 2026

Ransomware group The Gentlemen shut down two Australian sugar mills at harvest season start, while CISA advisories flagged unauthenticated denial-of-service risks in Rockwell Automation Logix controllers and session-hijacking vulnerabilities across Schneider Electric’s broad OT product portfolio.
threat-intelligence
ICS
CPS
automotive
medical-devices
Published

June 20, 2026

Executive Summary

The most operationally disruptive CPS incident of the week was a ransomware attack by The Gentlemen – tracked by Microsoft as Storm-2697 – against Mackay Sugar in Queensland, Australia, which forced two of three sugar mills offline at the very start of the crushing season and halted cane haulage and harvesting across approximately 1,300 farms. CISA issued two ICS advisories squarely within the reporting window: ICSA-26-167-03 on June 16 warned of an unauthenticated remote denial-of-service vulnerability in Rockwell Automation CompactLogix and ControlLogix controllers, and ICSA-26-169-07 on June 18 disclosed a session prediction flaw spanning multiple Schneider Electric OT product families. On the threat intelligence front, Iranian-affiliated cluster CL-STA-1128 – better known as Cyber Av3ngers and overlapping with Microsoft’s Storm-0784 designation – remains actively targeting Allen-Bradley PLCs and FactoryTalk SCADA systems, a threat formalized in a multi-agency CISA advisory in April that continues to define the background threat environment heading into summer.

This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.

Week of June 12 – June 19, 2026

Critical Alerts & Advisories

CISA published at least two ICS advisories directly within the June 12–19 reporting window, both with immediate relevance to widely deployed operational technology platforms.

The more operationally urgent was ICSA-26-167-03, published June 16, covering a denial-of-service vulnerability in Rockwell Automation’s CompactLogix 5370 and ControlLogix 5570 programmable logic controllers. CVE-2026-11317 carries a CVSS v4.0 score of 8.7 and is exploitable remotely without authentication: an attacker on the network can craft a malformed CIP message – Common Industrial Protocol is the communication standard underlying most Allen-Bradley PLC deployments – that triggers an improper resource shutdown or release condition classified under CWE-404. The practical consequence is a process-halting denial of service on one of the most widely deployed PLC families in North American manufacturing, energy, and water infrastructure. Operators who have not already restricted CIP traffic to authorized engineering workstations and SCADA servers should treat this as a priority, particularly in light of ongoing Iranian threat actor activity against precisely this equipment family.

Two days later, on June 18, CISA published ICSA-26-169-07 disclosing CVE-2026-4827, a session prediction vulnerability in multiple Schneider Electric OT product lines, published concurrently under Schneider’s own security notice SEVD-2026-132-02. The flaw lies in insufficient entropy in session token generation, enabling an attacker who can observe or predict token values to hijack active operator sessions without requiring valid credentials. Affected product families span a broad cross-section of Schneider’s OT portfolio – including the Easergy protection relay family, the EcoStruxure energy management and building automation suites, PowerLogic power monitoring equipment, and Saitel remote terminal units. The CVSS score varies by scoring version, reported as 8.2 under CVSS v3.1 and 8.7 under CVSS v4.0, but in either case the severity is high. Session hijacking on SCADA-connected devices carries risks well beyond account compromise, extending to potential manipulation of distribution switching, load management, and protection relay functions depending on the affected product.

Manufacturing & Agri-Industrial CPS: Mackay Sugar Ransomware

The most consequential CPS incident of the week unfolded in Queensland, Australia, where ransomware struck Mackay Sugar – Australia’s second-largest raw sugar producer – on June 10, forcing shutdowns at the Farleigh and Racecourse mills within days of the 2026 crushing season opening. Farleigh mill had only commenced crushing on June 4 and Racecourse on June 9, meaning the attack landed almost precisely at the operational peak of the season’s opening fortnight. Cane haulage and harvesting logistics were disrupted across approximately 1,300 farms that depend on the Mackay Sugar supply network.

The Gentlemen claimed responsibility on their Tor-hosted leak site on June 15. By June 12, Mackay Sugar had restored limited manual crushing at one facility, but the company’s own statement acknowledged that key cane supply and logistics systems remained under restoration. The incident illustrates a pattern that security researchers have increasingly documented: ransomware operators timing attacks to coincide with operationally critical periods, exploiting the elevated cost of downtime – and therefore elevated pressure to pay – that comes with harvest season openings, year-end financial closes, and similar production peaks.

The attack also highlights the convergence of IT and OT systems in modern agri-industrial operations. Sugar mill operations depend on interconnected systems spanning cane scheduling software, mill automation, transport logistics, and field communications – all of which represent potential lateral movement paths from a compromised IT network into physical production systems. The incident is likely to accelerate sector-specific guidance on OT network segmentation for food and agriculture operators from CISA and allied agencies.

Automotive CPS Security

The automotive cybersecurity sector received a comprehensive threat landscape update with the release of the VicOne Q1 2026 Situational Awareness Report, which documented 405 total cybersecurity incidents across the automotive, transportation, and logistics sectors in the first quarter – up from 378 in Q4 2025 and continuing an unbroken upward trend. Within that figure, logistics and transportation companies bore the heaviest ransomware burden at 61 incidents, followed by automotive suppliers at 38 and dealer and retailer networks at 32. The data reflects the sector’s persistent vulnerability to supply chain attacks: targeting a Tier 1 or Tier 2 supplier can simultaneously disrupt multiple OEMs, making supplier networks a high-leverage target for both ransomware operators and espionage actors seeking pre-positioned access to vehicle design data or production systems.

Pwn2Own Automotive 2026, held January 21–23 in Tokyo, continued to generate industry analysis during this period as researchers published post-event assessments of the 76 zero-day vulnerabilities discovered across connected vehicle platforms, which collectively earned $1,047,000 in payouts from the Zero Day Initiative. Among the most noted findings, Synacktiv demonstrated an exploit chain against Tesla’s infotainment system via a physical USB attack – chaining an information leak with an out-of-bounds write vulnerability – for a $35,000 award. The breadth and density of zero-days surfaced at the event, across charging equipment, in-vehicle infotainment, and vehicle network components, reinforced the automotive industry’s core challenge: attack surface expansion driven by connectivity and software-defined vehicle architecture is outpacing the rate of security maturation in the underlying platforms.

Medical Device CPS Security

No FDA cybersecurity safety communications or medical device advisories specific to the June 12–19 window were confirmed in this reporting cycle. Providing useful regulatory context, a peer-reviewed systematic analysis published in Frontiers in Digital Health documented the FDA’s cumulative record of 18 cybersecurity safety communications issued between June 2013 and January 2025, with the pace accelerating from 4 alerts in the 2013–2017 period to 14 alerts in 2018–2025. The primary vulnerability classes driving those communications included unauthorized remote access enabling remote code execution, denial-of-service conditions, device malfunctions, and data breaches – a taxonomy that maps closely to the vulnerability types disclosed in adjacent OT sectors this week.

The regulatory backdrop against which these disclosures occur has shifted substantially in 2026 with the full implementation of the FDA’s Section 524B requirements and the February 2026 cybersecurity premarket submission guidance aligning with the Quality Management System Regulation. Medical device manufacturers are now expected to demonstrate integrated security by design, maintain software bills of materials, and sustain post-market monitoring programs – a higher bar that will take several years of procurement cycles to materially improve the security posture of devices currently operating in hospital environments.

Water & Wastewater Sector

No confirmed water or wastewater sector incidents or advisories were verified for the June 12–19 reporting window. The sector remains under elevated background threat on two fronts. The Rockwell Automation CompactLogix and ControlLogix controllers affected by CVE-2026-11317 are widely deployed in water treatment and distribution SCADA systems, making the June 16 advisory directly applicable to water utility operators. Separately, CL-STA-1128’s documented history of targeting water utility PLCs – including the 2023–2024 Unitronics campaigns at U.S. water facilities – means any intensification of Iranian-affiliated OT targeting activity carries direct water sector risk.

Energy & Power Grid

No confirmed energy-sector-specific incidents were verified for the June 12–19 window. The Schneider Electric session prediction advisory is directly relevant to energy operators, however. The affected Saitel RTU product line is a common component in distribution automation systems, and EcoStruxure deployments span power generation, grid management, and building energy systems across utilities worldwide. Session hijacking on those devices extends the risk beyond data access to potential manipulation of distribution switching and load management functions – a distinction that elevates what might appear to be a credential vulnerability into an operational integrity concern.

Threat Intelligence Highlights

The dominant CPS threat actor narrative heading into the summer of 2026 remains the Iranian-affiliated cluster designated CL-STA-1128 – also tracked as Cyber Av3ngers and Storm-0784 by Microsoft. Unit 42 at Palo Alto Networks identified and tracked the cluster’s activity through late March 2026 as it systematically targeted Rockwell Automation OT/ICS equipment, and CISA explicitly confirmed in the joint advisory AA26-097A, issued April 7, 2026 and co-signed by the FBI, NSA, EPA, DOE, and U.S. Cyber Command, that the group was “also exploiting PLCs manufactured by Allen-Bradley.” This represents a documented expansion of CL-STA-1128’s targeting beyond the Unitronics equipment exploited in earlier water utility campaigns, moving into the FactoryTalk SCADA ecosystem and the Logix controller family that forms the backbone of a large proportion of North American manufacturing and energy OT environments.

The April advisory effectively functions as a persistent threat intelligence reference throughout the summer reporting period, as threat clusters of this type tend to maintain pre-positioned access in environments where initial intrusion is not fully remediated. The coincidence of CVE-2026-11317 – a new, unauthenticated remote denial-of-service vulnerability in exactly the Allen-Bradley Logix controllers CL-STA-1128 has been exploiting – with the continued threat actor activity amplifies the urgency of patching and network segmentation in affected environments.

Broader OT threat landscape analysis from OPSWAT covering 2024–2026 highlights that file-based attack vectors remain a consistent entry point across OT breach chains. Malicious engineering project files, weaponized OT-specific file formats, and files delivered through IT channels that reach OT engineer workstations continue to serve as a bridge between internet-exposed IT systems and air-gapped or segmented OT environments. The pattern reinforces the value of secure file transfer controls, content inspection at IT/OT network boundaries, and strict controls on removable media in OT environments.

Defensive Recommendations

Operators of Rockwell Automation CompactLogix 5370 and ControlLogix 5570 controllers should apply the mitigations specified in ICSA-26-167-03 as a priority. Until patching is complete, restrict CIP traffic at the network layer so that only authorized engineering workstations and SCADA servers can communicate with affected controllers – unauthenticated remote exploitability means network segmentation is the primary near-term control. This recommendation takes on added urgency given CL-STA-1128’s confirmed active exploitation of Allen-Bradley equipment; consult advisory AA26-097A for indicators of compromise and detection guidance applicable to these environments.

Schneider Electric customers across the Easergy, EcoStruxure, PowerLogic, and Saitel product lines should review SEVD-2026-132-02 and apply the version-specific patches or configuration mitigations described therein. Session prediction attacks can be partially mitigated in the interim by enforcing short session timeouts, monitoring for anomalous session activity from unexpected source addresses, and ensuring operator sessions are explicitly terminated after use – standard hygiene that reduces the exploitable window when session token entropy is insufficient.

Agri-industrial operators and food and beverage manufacturers should treat the Mackay Sugar incident as a sector-specific warning. The timing of the attack – whether deliberate or opportunistic, at the opening of harvest season – suggests that ransomware operators may be developing awareness of seasonal operational rhythms in agricultural processing. Incident response plans should address OT-specific recovery scenarios including manual fallback procedures for cane scheduling, mill automation, and transport coordination, with recovery time objectives calibrated to seasonal constraints where manual operations cannot substitute for automated systems at full production scale.

Sources Referenced

Government Advisories

Threat Intelligence & Incident Reports

Automotive Security

Medical Device & Regulatory Context

ICS Advisory Analysis (Web Search Discoveries)