Ransomware group The Gentlemen shut down two Australian sugar mills at harvest season start, while CISA advisories flagged unauthenticated denial-of-service risks in Rockwell Automation Logix controllers and session-hijacking vulnerabilities across Schneider Electric’s broad OT product portfolio.
CISA issued six ICS advisories across two batches targeting solar inverters, industrial switches, robot mowers, and IoT cameras while publishing BOD 26-04 mandating three-day remediation for the highest-risk vulnerabilities – all against a backdrop of ongoing Iranian APT disruption of U.S. water and energy PLCs.
CISA’s June 4 advisory batch flagged hard-coded credentials in maritime navigation and a multi-sector OPC-UA denial-of-service, while Canada issued its first federal intelligence warning on connected vehicle data risks from Chinese EV manufacturers and Dragos named two new ICS threat groups pre-positioning for destructive attacks.
CISA’s May 28 advisory batch exposed critical flaws in EV chargers, maritime recorders, and a cardiac monitor, while a pre-authentication RCE in GNU Inetutils telnetd puts legacy OT systems at significant risk.
Congress held its first dedicated water infrastructure cybersecurity hearing while CISA published a second ICS advisory batch for the week and the GAO released a sweeping report confirming that most U.S. water utilities lack the workforce, budgets, and modern control systems needed to resist persistent nation-state and hacktivist campaigns.
The first documented AI-assisted attack on industrial water infrastructure — where Claude autonomously mapped SCADA access paths and generated a 17,000-line intrusion framework against a Mexican utility with no prior OT knowledge from the attacker — headlined a week that also delivered CISA’s largest ICS advisory batch of the year, Foxconn’s Nitrogen ransomware breach across North American factories, and a Universal Robots cobot command injection flaw scoring a critical CVSS 9.8.
CISA launched the CI Fortify initiative on May 5 – landmark guidance requiring critical infrastructure to plan for isolated operation through geopolitical cyber conflicts – while publishing five ICS advisories covering ABB B&R Automation Studio and Runtime, Hitachi Energy PCM600, B&R PVI client, and MAXHUB Pivot Client; Forescout simultaneously released research flagging a record spike in high-severity OT/ICS flaws driven by a dangerous visibility gap between disclosed CVEs and published advisories.
CISA published seven ICS advisories across the April 24-May 1 week, headlined by six ABB advisories on April 30 covering AWIN Gateways (CVE-2025-13777/78/79), Ability OPTIMAX SSO bypass, Symphony Plus Engineering, and System 800xA, plus a single April 28 advisory for NSA GRASSMARLIN. Itron and Medtronic both disclosed breaches on April 27, and the Iranian CyberAv3ngers PLC campaign continued to drive elevated posture in water, energy, and government sectors.
CISA released over a dozen ICS advisories on April 21 and 23 covering critical vulnerabilities in SenseLive X3050, Silex Technology SD-330AC, Hardy Barth EV chargers, Siemens SINEC NMS, and others, while Forescout disclosed the BRIDGE:BREAK vulnerability cluster affecting 20,000 serial-to-IP converters, and Darktrace identified ZionSiphon—a development-stage OT malware designed to sabotage Israeli water treatment and desalination facilities.
Sweden attributed a 2025 destructive cyberattack on a thermal power plant to Russian intelligence-linked hackers in an April 15 disclosure, while CISA published four new ICS advisories on April 16—including a CVSS 9.8 flaw in Anviz access control systems and a critical missing-authorization vulnerability in AVEVA Pipeline Simulation—and the FBI IC3 2025 Annual Report confirmed healthcare as the most ransomware-targeted critical infrastructure sector.
A joint six-agency advisory warned that Iranian CyberAv3ngers are actively exploiting Rockwell Automation PLCs across U.S. water, energy, and government infrastructure, while CISA published five new ICS advisories—including a critical missing-authentication flaw in natural gas odorizer controllers—and a ransomware attack on Signature Healthcare forced ambulance diversions and chemotherapy cancellations.
CISA published five ICS advisories headlined by critical authentication-bypass flaws in the PX4 drone autopilot and Anritsu spectrum monitors, while actively exploited vulnerabilities in F5 BIG-IP APM and Hitachi Energy Ellipse prompted urgent patching—and a ransomware attack on Minot, North Dakota’s water treatment plant underscored the escalating threat to municipal water infrastructure.
CISA released seven ICS advisories including a maximum-severity CVSS 10.0 PTC Windchill deserialization flaw and a critical WAGO managed switch CLI escape vulnerability, while FERC approved sweeping CIP reliability standard updates for virtualization and supply chain security—and New York’s first-in-nation mandatory wastewater cybersecurity incident reporting requirement took effect, all against the backdrop of an ongoing Iranian cyber campaign that struck a second U.S. healthcare provider within weeks of the Stryker wiper attack.
The U.S. Justice Department formally attributed the Handala hacktivist group to Iran’s MOIS and the FBI seized its domains, while CISA released eight new ICS advisories headlined by critical EV charging and parking infrastructure vulnerabilities, a CVSS 9.8 SCADAPack RTU flaw, and Schneider Electric EcoStruxure code injection—as the Interlock ransomware gang’s exploitation of a Cisco FMC zero-day 36 days before disclosure underscored the accelerating pace of OT-adjacent threats.
Iran-linked Handala group devastated medical device giant Stryker with a wiper attack across 79 countries, while CISA’s ICS Patch Tuesday delivered ten advisories headlined by a CVSS 10.0 Honeywell building management controller with no vendor patch, a critical Siemens S7-1500 PLC vulnerability, and Schneider Electric EcoStruxure flaws enabling full system compromise.
Iran-aligned threat actors escalated cyberattacks against critical infrastructure following Operation Epic Fury, while CISA—operating at reduced capacity during the DHS shutdown—issued nine ICS advisories covering Hitachi Energy RTU500 substation controllers, Mitsubishi MELSEC PLCs, wind turbine ice detectors, and a continued wave of EV charging platform vulnerabilities.
CISA issued Emergency Directive 26-03 for a Cisco SD-WAN zero-day exploited since 2023, while a coordinated disclosure exposed critical authentication flaws across six EV charging platforms and Copeland XWEB refrigeration controllers received a perfect CVSS 10.0 advisory with 23 vulnerabilities.
The DHS shutdown left CISA operating at 38% capacity during a week when Dragos revealed three new OT threat groups and Volt Typhoon still embedded in U.S. utilities, while CISA released eight ICS advisories including a critical flaw in natural gas odorization controllers with no vendor response.
Week 07 featured a major ICS Patch Tuesday with advisories from Siemens, Schneider Electric, AVEVA, and Phoenix Contact, CISA issued a binding directive ordering federal agencies to replace unsupported edge devices, and the UK NCSC warned of severe cyber threats to critical national infrastructure following the Poland grid attack.
Week 06 highlighted by Romania’s Conpet oil pipeline operator hit by Qilin ransomware, 13 new CISA ICS advisories including a CVSS 10.0 for a defunct vendor’s product, FDA’s updated cybersecurity guidance aligned with QMSR enforcement, and a major Chinese espionage campaign compromising 70 organizations across 37 countries.
Week 05 saw ESET and Dragos attribute the DynoWiper attack on Poland’s power grid to Russia’s Sandworm group, CISA issued seven ICS advisories affecting Rockwell, Johnson Controls, and Schneider Electric, and NERC released a landmark CIP Roadmap highlighting growing risks to low-impact grid assets.
Week 04 dominated by Pwn2Own Automotive 2026 with 76 zero-days in Tesla, EV chargers, and IVI systems; plus 8 new CISA ICS advisories affecting Schneider Electric, Rockwell, and Delta Electronics.
Week 03 features critical AVEVA Process Optimization RCE vulnerabilities, Siemens Industrial Edge authentication bypass, Rockwell GuardLink DoS flaws, and Pwn2Own Automotive 2026 discoveries in Tokyo.
Week 02 highlights include CISA advisories for weather monitoring systems, critical Bluetooth vulnerability in WHILL wheelchairs (CVSS 9.8), and pro-Russia hacktivists targeting OT infrastructure.
Week 51 features CISA advisory on pro-Russia hacktivists targeting water/energy sectors, critical ICS vulnerabilities in Siemens/Rockwell/Advantech products, and automotive zero-days in aftermarket devices.
Week 48 saw CISA release 5 critical ICS advisories including CVSS 9.3 vulnerability in Emerson UPS monitoring (end-of-life, no patch), plus building automation and industrial edge controller flaws.
Week 47 highlights first large-scale autonomous AI cyberattack disclosed by Anthropic, Scattered Spider teens charged for TfL breach, and critical analysis of AI-powered attack automation.