Energy Sector
49 articles covering energy OT/ICS security
FrostyGoop: The ICS Malware That Weaponised Modbus TCP Against Energy Infrastructure
FrostyGoop (BUSTLEBERM) is the first publicly documented ICS-specific malware to directly communicate with industrial devices via Modbus TCP. Its January 2024 deployment against a Ukrainian district heating company — disrupting heat for 600 buildings in winter — demonstrates the operational impact of OT-native attack tools.
GhostLock CVE-2026-43499: Advisory for OT Environments Running Linux-Based Historian and SCADA Systems
The GhostLock Linux kernel vulnerability (CVE-2026-43499) enables local privilege escalation to root in approximately five seconds with 97% reliability. OT environments running Linux-based historian servers, OPC-UA gateways, and SCADA platforms are directly affected. Patching and mitigation guidance for industrial operators.
IEC 61850 Substation Automation Security: Attack Surface and Hardening for Power Grid Operators
IEC 61850 is the dominant protocol for digital substation automation — and it was designed for operational reliability, not security. GOOSE messages carry no authentication. MMS sessions use optional TLS that most deployments skip. This analysis covers the threat model and practical hardening for utilities and grid operators.
ABB PCM600 ICSA-26-120-02: Arbitrary Code Execution via Malicious Messages in Protection Relay Configuration
CISA advisory ICSA-26-120-02 documents a critical code execution vulnerability in ABB's PCM600 Protection and Control IED Manager, exploitable via malicious message processing through a vulnerable SharpZip.dll component. The tool is widely deployed for configuring protection relays in energy and critical manufacturing. No authentication is required for exploitation.
Modbus Protocol Security: Attack Surface, Exploitation, and OT Network Hardening
Modbus is the most widely deployed industrial protocol in the world — and one of the least secure. This guide covers the Modbus attack surface, documented exploitation techniques used against OT environments, and practical hardening measures for energy, water, and manufacturing defenders.
ICSA-26-181-02: FUXA SCADA CVE-2026-13207 -- Path Traversal to Unauthenticated RCE
ICS-CERT advisory ICSA-26-181-02 covers a dot-segment path normalization bypass in FUXA open-source SCADA software that allows unauthenticated remote code execution. CVSS v4 score 8.6. Deployments in water, energy, and manufacturing are exposed.
OT Incident Response: The First 48 Hours
When a cyber incident hits an operational technology environment, the first 48 hours determine whether a brief outage becomes a prolonged shutdown. This playbook covers the critical decisions, sequencing, and OT-specific considerations that IR teams need to get right from the first alert.
Siemens S7comm Protocol: Attack Surface, Unauthenticated Access, and OT Network Detection
S7comm is Siemens' proprietary PLC communication protocol. Legacy S7comm lacks authentication and encryption, enabling unauthenticated read/write access to process data and PLC control commands. This guide covers the attack surface, documented exploit techniques, and detection approaches for OT defenders.
CISA June 2026 ICS Advisories: Siemens WinCC and Rockwell RSLinx RCE
CISA released a batch of 10 ICS advisories on June 23, 2026, including critical vulnerabilities in Siemens WinCC Certificate Manager and SIPROTEC 5. Separately, ICSA-26-167-02 documents an unauthenticated stack-based buffer overflow in Rockwell Automation RSLinx Classic enabling remote code execution.
EV Charging Infrastructure Cybersecurity: OCPP Vulnerabilities, Grid Attack Surfaces, and Operator Obligations
The rapid buildout of EV charging infrastructure has created a new OT attack surface at the intersection of transportation, energy, and consumer technology. This briefing covers OCPP protocol vulnerabilities, documented attack incidents, the grid stability risk from coordinated charging manipulation, and what operators need to implement to meet emerging regulatory standards.
EtherNet/IP and CIP Security: Attack Surface, Vulnerabilities, and Hardening
EtherNet/IP is the dominant industrial Ethernet protocol in North American manufacturing, used in Allen-Bradley PLCs, robotics, and drive systems. This analysis covers the CIP protocol attack surface, known exploitation patterns, CIP Security extension adoption, and network hardening guidance.
Securing OT Remote Access: VPN, ZTNA, and Jump Server Architecture for Industrial Networks
Remote access to operational technology environments expanded dramatically during 2020-2022 and was never fully locked down. This guide covers the specific risks of each remote access pattern — vendor VPNs, site VPNs, jump servers, and ZTNA — and the hardening steps that reduce the attack surface without breaking the maintenance workflows OT teams depend on.
PIPEDREAM and COSMICENERGY: The ICS Malware Frameworks Built for Grid Disruption
PIPEDREAM (disclosed April 2022) and COSMICENERGY (May 2023) are the two most sophisticated ICS-targeting malware frameworks to emerge since TRITON. Both target industrial protocols used in power and energy infrastructure. This analysis covers their architecture, capabilities, and what they mean for defenders.
NERC CIP in 2026: Where Compliance Ends and Real OT Security Begins
NERC CIP is the compliance baseline for US bulk electric system cybersecurity — not a security ceiling. This briefing examines where NERC CIP requirements leave real gaps: low-impact assets, supply chain enforcement, operational technology visibility, and the delta between checkbox compliance and defensible OT security posture.
Solar Inverter OT Security 2026: Solarman, Deye, and 195GW of Grid Attack Surface
Bitdefender researchers disclosed critical vulnerabilities in Solarman and Deye solar inverter management platforms in 2024-2025, covering 195GW of installed capacity. OAuth token endpoint flaws, JWT reuse attacks, and hard-coded credentials created paths from the internet to grid-connected OT equipment. This article covers the vulnerability classes, the attack surface, and what energy sector operators need to assess.
Oil and Gas Pipeline Cybersecurity: TSA Directives, OT Threat Landscape, and Compliance Requirements in 2026
The TSA's pipeline cybersecurity directives have fundamentally changed the compliance environment for US pipeline operators. This analysis covers the directive requirements, the OT threat actors specifically targeting oil and gas infrastructure, and the technical controls that actually move the needle.
PROFINET Security: Attack Surface Analysis and Hardening for Industrial Ethernet Networks
PROFINET is the dominant real-time industrial Ethernet protocol in European manufacturing and process automation, with over 70 million installed nodes worldwide. This guide covers PROFINET's attack surface, documented exploits, network segmentation requirements, and hardening controls for OT security practitioners.
CISA ICS Advisory Roundup: Inductive Automation Ignition, ICONICS GENESIS64, and Mitsubishi Electric Vulnerabilities June 2026
CISA released nine ICS advisories in June 2026 covering critical and high-severity vulnerabilities in Inductive Automation Ignition, ICONICS/Mitsubishi GENESIS64, and Axis network cameras used in OT environments. This roundup covers the operational risk and remediation priorities.
DNP3 Protocol Security: Authentication, Attack Vectors, and Hardening for Energy and Water Utilities
DNP3 is the dominant SCADA communication protocol for energy and water utilities in North America. This guide covers its security architecture, known attack vectors, DNP3 Secure Authentication v5, and practical hardening for operational environments.
Ransomware in OT Environments: How Manufacturing and Energy Operators Are Being Hit in 2026
Ransomware groups are no longer stopping at IT systems. This sector briefing covers how operators in manufacturing, energy, and water treatment are being targeted in 2026 — the specific OT attack vectors, operational impact patterns, and the defensive controls that matter most.
ICS Patch Tuesday June 2026: Critical Vulnerabilities in Siemens, Honeywell, and Mitsubishi Electric Products
The June 2026 ICS Patch Tuesday cycle brings critical and high-severity advisories affecting Siemens industrial networks, Honeywell building and process control systems, and Mitsubishi Electric PLCs. OT security teams should prioritise triage and remediation planning for affected assets.
CISA Advisory: Automatic Tank Gauge Systems Under Active Attack — What OT Operators Need to Do Now
CISA, FBI, NSA, and five other US federal agencies issued a joint advisory in June 2026 warning of active malicious cyber activity targeting internet-exposed automatic tank gauge (ATG) systems across the energy, water, transportation, and critical infrastructure sectors. Attackers are exploiting authentication bypass and command execution flaws to modify pump controls and disable safety alerts.
OPC UA Security: Attack Surface Analysis and Hardening Recommendations for Industrial Environments
OPC Unified Architecture has become the dominant interoperability standard for industrial communication — and a consistent target in ICS-focused threat campaigns. This analysis covers the OPC UA threat model, documented vulnerability classes from recent CVEs, known exploitation by nation-state actors, and the hardening steps that reduce exposure without breaking operational continuity.
Advantech WebAccess/SCADA: Multiple High-Severity Vulnerabilities Enable Remote Code Execution
Advisories covering Advantech WebAccess/SCADA document path traversal, unrestricted file upload, and SQL injection vulnerabilities rated up to CVSS 8.8. WebAccess/SCADA is deployed across manufacturing, energy, and water treatment facilities globally. This analysis covers the vulnerability classes, exploitation paths, and immediate mitigations for OT operators.
Rockwell Automation ControlLogix and CompactLogix: Vulnerability Landscape and Hardening Guidance
Rockwell Automation's Logix family of programmable automation controllers has accumulated significant vulnerability history. This analysis covers key CVEs affecting ControlLogix and CompactLogix platforms, exploitation implications for industrial operations, and vendor-specific hardening steps.
Record 508 ICS Advisories in 2025: What the Vulnerability Surge Means for OT Defenders
Forescout's analysis of 2025 ICS security advisories identifies a record 508 advisories covering 2,155 vulnerabilities — with 82% rated high or critical. Field controllers, PLCs, and SCADA systems are the primary targets, and the growing share of advisories with no available patch creates an unresolvable exposure category that demands compensating controls.
CISA's Zero Trust Roadmap for OT: What the April 2026 Joint Guidance Means for Industrial Operators
CISA's April 2026 joint guidance 'Adapting Zero Trust Principles to Operational Technology' lays out a practical roadmap for applying zero trust in environments where the standard IT playbook doesn't work — legacy protocols, uptime requirements, and safety constraints included.
Iranian APT Groups Escalate Attacks on Internet-Exposed PLCs: Water, Energy and Government Under Threat
Since March 2026, Iranian-affiliated APT actors have been conducting disruptive attacks on internet-exposed programmable logic controllers across US critical infrastructure — particularly water/wastewater, energy, and government services. A joint advisory from CISA, FBI, NSA and US Cyber Command details the campaign and recommended mitigations.
Siemens May 2026 ICS Patch Tuesday: Device Takeover in Sentron Energy Meters, Root RCE in Ruggedcom, and 300+ Third-Party Flaws in CN4100
Siemens published 18 security advisories in May 2026's ICS Patch Tuesday, with critical findings in the Sentron 7KT PAC1261 energy data manager, Ruggedcom Rox, Simatic CN4100, and Opcenter RDnL manufacturing platform. This roundup covers the highest-impact advisories with operational guidance for affected sectors.
CISA ICS Advisory Roundup: Kaleris Navis N4, Delta Electronics CNCSoft, and ABB EIBPORT (May 2026)
CISA released eight ICS advisories and one medical device advisory on May 28, 2026, covering critical vulnerabilities in transportation management, CNC motion control, and industrial building automation systems. This analysis covers the highest-impact advisories and operational guidance for affected organisations.
Schneider Electric EcoStruxure Vulnerability Roundup: Critical Advisories Affecting Energy, Manufacturing, and Data Centre Operations
Schneider Electric has issued multiple CISA-coordinated advisories in 2026 covering critical vulnerabilities across the EcoStruxure platform suite -- including a CVSS 9.8 deserialization flaw in the Foxboro DCS Advisor, hard-coded credentials in Data Center Expert, and local RCE in Power Monitoring Expert.
CISA CI Fortify: What the New OT Isolation Guidance Means for Operational Technology Operators
CISA's CI Fortify initiative moves beyond standard patching guidance to address a harder problem: how critical infrastructure OT environments maintain operational continuity when internet, cloud, and telecom connectivity is severed during a geopolitical cyber crisis.
IEC 62443: The OT Security Standard Your Procurement Team Needs to Understand
IEC 62443 is the international standard series for industrial cybersecurity. This explainer covers the structure of the standard, what Security Levels mean in practice, the zones and conduits model, and how to reference 62443 in vendor contracts to actually improve your security posture.
Four-Faith Routers Under Active Attack, Iranian Threat Actors Hit US Fuel Systems
Mass exploitation of two vulnerabilities in Four-Faith industrial routers began May 12 with 139 attacking IPs observed against 15,800 exposed devices. Meanwhile, Iranian-linked threat actors continue automated attacks against Automatic Tank Gauge systems at US petrol stations.
OT Threat Landscape 2026: New Dragos Groups, Shrinking Exploit Windows, and the Visibility Crisis
Dragos's 2026 OT cybersecurity year-in-review identifies 26 threat groups specifically targeting operational technology -- including three newly tracked groups -- as exploit timelines compress to 24 days and fewer than one in ten OT networks have active monitoring. A practical analysis for OT security practitioners.
Default Credentials, Internet-Exposed PLCs, and the Unsophisticated Actor Problem
CISA's April 2026 joint advisory warns of Iranian-affiliated actors targeting internet-facing PLCs with basic techniques. The Poland energy attack demonstrated the real-world consequences. This analysis covers the threat, affected protocols, and what operators must do now.
CISA ICS Advisory Bundle: WAGO PFC, AVEVA Plant SCADA, and Beckhoff TwinCAT Vulnerabilities
CISA released seven ICS advisories on May 21, 2026, covering authentication and remote code execution vulnerabilities in WAGO PFC controllers, AVEVA Plant SCADA (formerly Citect), and Beckhoff TwinCAT runtime. Together these advisories affect PLC, SCADA, and automation runtime platforms deployed across manufacturing, energy, and building automation sectors globally.
Honeywell Experion PKS and C300 Controller Vulnerabilities: RCE Risk in Process DCS
Multiple vulnerabilities in Honeywell's Experion Process Knowledge System and C300 controller affect distributed control systems in oil and gas, petrochemical, and chemical processing facilities. Chained, the flaws provide an unauthenticated path from network access to code execution on the C300 controller's real-time OS, with potential to disrupt or manipulate industrial processes.
NIS2 OT Compliance: What the 2026 Enforcement Wave Means for Industrial Operators
EU member states are now issuing the first formal NIS2 enforcement actions against operators of essential services. Industrial operators — energy utilities, water authorities, manufacturing firms, and transport operators — face binding cybersecurity obligations, supply chain security requirements, and 24-hour incident reporting duties that the prior NIS1 regime did not meaningfully enforce. What actually changed and what OT teams need to do.
GE Vernova Grid Solutions SCADA Vulnerabilities: Path Traversal and Privilege Escalation in Energy Management
Multiple vulnerabilities in GE Vernova's Grid Solutions EMS/SCADA platform affect energy management systems used by electric utilities, grid operators, and transmission system operators globally. The highest-severity flaw allows unauthenticated path traversal enabling access to sensitive configuration files on the EMS server.
CISA Advisory: ABB AC500 PLC Remote Code Execution in Manufacturing and Process Control
CISA has issued an advisory covering a critical remote code execution vulnerability in ABB's AC500 PLC series, one of the most widely deployed programmable logic controller families in European manufacturing, paper and pulp, food processing, and water infrastructure. The flaw affects the Modbus TCP server component and requires no authentication to exploit.
CISA ICS Advisory: Siemens RUGGEDCOM and SCADABr Remote Code Execution
CISA has released a critical ICS advisory covering unauthenticated remote code execution vulnerabilities in Siemens RUGGEDCOM network devices and SCADABr SCADA software, both widely deployed in energy and manufacturing environments.
CISA Advisory: Hitachi Energy RTU500 Series Authentication Bypass in Grid SCADA
CISA has published an advisory covering multiple vulnerabilities in Hitachi Energy's RTU500 series, widely deployed as remote terminal units in power grid substations and transmission infrastructure. An authentication bypass flaw allows unauthenticated attackers on the device network to read and modify RTU configuration — a direct threat to substation automation and grid stability.
Claroty 2026 State of XIoT Security: OT Vulnerability Disclosures Hit New High
Claroty's annual State of XIoT Security report documents record-high vulnerability disclosures across operational technology, IoT, and connected medical devices. OT vulnerabilities now account for the majority of disclosed flaws, with critical infrastructure sectors facing compounded exposure from legacy device lifecycles and the accelerating advisory pace.
Volt Typhoon Pre-Positioning in US and UK OT Networks
China-nexus threat actor Volt Typhoon has systematically infiltrated operational technology networks across US and UK critical infrastructure sectors, establishing persistent footholds in energy, water, and communications systems for potential future disruption.
OT Network Segmentation: Purdue Model, DMZ Design, and Historian Isolation
A practical guide to network segmentation in OT environments, covering the Purdue Reference Model, industrial DMZ architecture, data historian isolation, and the tradeoffs between operational access and security posture.
TRITON/TRISIS: The Malware Designed to Kill
TRITON is the only publicly known malware explicitly engineered to disable Safety Instrumented Systems -- the last line of defense against industrial catastrophes. An analysis of its architecture, targeting of Schneider Electric Triconex controllers, and what it means for safety system cybersecurity.
Modbus and DNP3: Inherent Security Weaknesses in Legacy Industrial Protocols
Modbus and DNP3 were designed for reliability and interoperability, not security. An analysis of the structural security weaknesses in both protocols -- unauthenticated commands, lack of encryption, spoofing, and replay attacks -- and the compensating controls available to practitioners.
The OT Asset Inventory Problem: Visibility Gaps, Passive Discovery, and Unmanaged Devices
Most industrial operators cannot accurately enumerate the devices on their OT networks. This visibility gap is the foundational barrier to OT security -- you cannot protect what you cannot see. A practical look at passive discovery tools, the limits of vendor inventories, and strategies for building actionable asset visibility.