Water Sector
28 articles covering water OT/ICS security
FrostyGoop: The ICS Malware That Weaponised Modbus TCP Against Energy Infrastructure
FrostyGoop (BUSTLEBERM) is the first publicly documented ICS-specific malware to directly communicate with industrial devices via Modbus TCP. Its January 2024 deployment against a Ukrainian district heating company — disrupting heat for 600 buildings in winter — demonstrates the operational impact of OT-native attack tools.
GhostLock CVE-2026-43499: Advisory for OT Environments Running Linux-Based Historian and SCADA Systems
The GhostLock Linux kernel vulnerability (CVE-2026-43499) enables local privilege escalation to root in approximately five seconds with 97% reliability. OT environments running Linux-based historian servers, OPC-UA gateways, and SCADA platforms are directly affected. Patching and mitigation guidance for industrial operators.
Modbus Protocol Security: Attack Surface, Exploitation, and OT Network Hardening
Modbus is the most widely deployed industrial protocol in the world — and one of the least secure. This guide covers the Modbus attack surface, documented exploitation techniques used against OT environments, and practical hardening measures for energy, water, and manufacturing defenders.
OT Incident Response: The First 48 Hours
When a cyber incident hits an operational technology environment, the first 48 hours determine whether a brief outage becomes a prolonged shutdown. This playbook covers the critical decisions, sequencing, and OT-specific considerations that IR teams need to get right from the first alert.
Siemens S7comm Protocol: Attack Surface, Unauthenticated Access, and OT Network Detection
S7comm is Siemens' proprietary PLC communication protocol. Legacy S7comm lacks authentication and encryption, enabling unauthenticated read/write access to process data and PLC control commands. This guide covers the attack surface, documented exploit techniques, and detection approaches for OT defenders.
Securing OT Remote Access: VPN, ZTNA, and Jump Server Architecture for Industrial Networks
Remote access to operational technology environments expanded dramatically during 2020-2022 and was never fully locked down. This guide covers the specific risks of each remote access pattern — vendor VPNs, site VPNs, jump servers, and ZTNA — and the hardening steps that reduce the attack surface without breaking the maintenance workflows OT teams depend on.
PIPEDREAM and COSMICENERGY: The ICS Malware Frameworks Built for Grid Disruption
PIPEDREAM (disclosed April 2022) and COSMICENERGY (May 2023) are the two most sophisticated ICS-targeting malware frameworks to emerge since TRITON. Both target industrial protocols used in power and energy infrastructure. This analysis covers their architecture, capabilities, and what they mean for defenders.
DNP3 Protocol Security: Authentication, Attack Vectors, and Hardening for Energy and Water Utilities
DNP3 is the dominant SCADA communication protocol for energy and water utilities in North America. This guide covers its security architecture, known attack vectors, DNP3 Secure Authentication v5, and practical hardening for operational environments.
Ransomware in OT Environments: How Manufacturing and Energy Operators Are Being Hit in 2026
Ransomware groups are no longer stopping at IT systems. This sector briefing covers how operators in manufacturing, energy, and water treatment are being targeted in 2026 — the specific OT attack vectors, operational impact patterns, and the defensive controls that matter most.
ICS Patch Tuesday June 2026: Critical Vulnerabilities in Siemens, Honeywell, and Mitsubishi Electric Products
The June 2026 ICS Patch Tuesday cycle brings critical and high-severity advisories affecting Siemens industrial networks, Honeywell building and process control systems, and Mitsubishi Electric PLCs. OT security teams should prioritise triage and remediation planning for affected assets.
CISA Advisory: Automatic Tank Gauge Systems Under Active Attack — What OT Operators Need to Do Now
CISA, FBI, NSA, and five other US federal agencies issued a joint advisory in June 2026 warning of active malicious cyber activity targeting internet-exposed automatic tank gauge (ATG) systems across the energy, water, transportation, and critical infrastructure sectors. Attackers are exploiting authentication bypass and command execution flaws to modify pump controls and disable safety alerts.
OPC UA Security: Attack Surface Analysis and Hardening Recommendations for Industrial Environments
OPC Unified Architecture has become the dominant interoperability standard for industrial communication — and a consistent target in ICS-focused threat campaigns. This analysis covers the OPC UA threat model, documented vulnerability classes from recent CVEs, known exploitation by nation-state actors, and the hardening steps that reduce exposure without breaking operational continuity.
Advantech WebAccess/SCADA: Multiple High-Severity Vulnerabilities Enable Remote Code Execution
Advisories covering Advantech WebAccess/SCADA document path traversal, unrestricted file upload, and SQL injection vulnerabilities rated up to CVSS 8.8. WebAccess/SCADA is deployed across manufacturing, energy, and water treatment facilities globally. This analysis covers the vulnerability classes, exploitation paths, and immediate mitigations for OT operators.
Record 508 ICS Advisories in 2025: What the Vulnerability Surge Means for OT Defenders
Forescout's analysis of 2025 ICS security advisories identifies a record 508 advisories covering 2,155 vulnerabilities — with 82% rated high or critical. Field controllers, PLCs, and SCADA systems are the primary targets, and the growing share of advisories with no available patch creates an unresolvable exposure category that demands compensating controls.
CISA's Zero Trust Roadmap for OT: What the April 2026 Joint Guidance Means for Industrial Operators
CISA's April 2026 joint guidance 'Adapting Zero Trust Principles to Operational Technology' lays out a practical roadmap for applying zero trust in environments where the standard IT playbook doesn't work — legacy protocols, uptime requirements, and safety constraints included.
Iranian APT Groups Escalate Attacks on Internet-Exposed PLCs: Water, Energy and Government Under Threat
Since March 2026, Iranian-affiliated APT actors have been conducting disruptive attacks on internet-exposed programmable logic controllers across US critical infrastructure — particularly water/wastewater, energy, and government services. A joint advisory from CISA, FBI, NSA and US Cyber Command details the campaign and recommended mitigations.
CISA CI Fortify: What the New OT Isolation Guidance Means for Operational Technology Operators
CISA's CI Fortify initiative moves beyond standard patching guidance to address a harder problem: how critical infrastructure OT environments maintain operational continuity when internet, cloud, and telecom connectivity is severed during a geopolitical cyber crisis.
IEC 62443: The OT Security Standard Your Procurement Team Needs to Understand
IEC 62443 is the international standard series for industrial cybersecurity. This explainer covers the structure of the standard, what Security Levels mean in practice, the zones and conduits model, and how to reference 62443 in vendor contracts to actually improve your security posture.
OT Threat Landscape 2026: New Dragos Groups, Shrinking Exploit Windows, and the Visibility Crisis
Dragos's 2026 OT cybersecurity year-in-review identifies 26 threat groups specifically targeting operational technology -- including three newly tracked groups -- as exploit timelines compress to 24 days and fewer than one in ten OT networks have active monitoring. A practical analysis for OT security practitioners.
Default Credentials, Internet-Exposed PLCs, and the Unsophisticated Actor Problem
CISA's April 2026 joint advisory warns of Iranian-affiliated actors targeting internet-facing PLCs with basic techniques. The Poland energy attack demonstrated the real-world consequences. This analysis covers the threat, affected protocols, and what operators must do now.
Water Sector Cyber Threats 2026 -- From Oldsmar to Nation-State Pre-Positioning
Water and wastewater systems face a growing and diverse cyber threat -- from opportunistic attacks exploiting internet-exposed HMIs to sophisticated nation-state pre-positioning campaigns. This briefing covers the current threat landscape, attack vectors, and sector-specific defensive priorities.
NIS2 OT Compliance: What the 2026 Enforcement Wave Means for Industrial Operators
EU member states are now issuing the first formal NIS2 enforcement actions against operators of essential services. Industrial operators — energy utilities, water authorities, manufacturing firms, and transport operators — face binding cybersecurity obligations, supply chain security requirements, and 24-hour incident reporting duties that the prior NIS1 regime did not meaningfully enforce. What actually changed and what OT teams need to do.
CISA Advisory: ABB AC500 PLC Remote Code Execution in Manufacturing and Process Control
CISA has issued an advisory covering a critical remote code execution vulnerability in ABB's AC500 PLC series, one of the most widely deployed programmable logic controller families in European manufacturing, paper and pulp, food processing, and water infrastructure. The flaw affects the Modbus TCP server component and requires no authentication to exploit.
Claroty 2026 State of XIoT Security: OT Vulnerability Disclosures Hit New High
Claroty's annual State of XIoT Security report documents record-high vulnerability disclosures across operational technology, IoT, and connected medical devices. OT vulnerabilities now account for the majority of disclosed flaws, with critical infrastructure sectors facing compounded exposure from legacy device lifecycles and the accelerating advisory pace.
Volt Typhoon Pre-Positioning in US and UK OT Networks
China-nexus threat actor Volt Typhoon has systematically infiltrated operational technology networks across US and UK critical infrastructure sectors, establishing persistent footholds in energy, water, and communications systems for potential future disruption.
OT Network Segmentation: Purdue Model, DMZ Design, and Historian Isolation
A practical guide to network segmentation in OT environments, covering the Purdue Reference Model, industrial DMZ architecture, data historian isolation, and the tradeoffs between operational access and security posture.
Modbus and DNP3: Inherent Security Weaknesses in Legacy Industrial Protocols
Modbus and DNP3 were designed for reliability and interoperability, not security. An analysis of the structural security weaknesses in both protocols -- unauthenticated commands, lack of encryption, spoofing, and replay attacks -- and the compensating controls available to practitioners.
The OT Asset Inventory Problem: Visibility Gaps, Passive Discovery, and Unmanaged Devices
Most industrial operators cannot accurately enumerate the devices on their OT networks. This visibility gap is the foundational barrier to OT security -- you cannot protect what you cannot see. A practical look at passive discovery tools, the limits of vendor inventories, and strategies for building actionable asset visibility.