All news with #ics security tag

💧 Researchers at Darktrace identified ZionSiphon, a new operational technology malware engineered to sabotage water treatment and desalination environments. The sample includes routines to increase chlorine dosing, force valves open, and raise RO pressure by appending fixed configuration entries, and it propagates via USB as a hidden svchost.exe. A faulty IP verification routine currently prevents activation, but attackers could correct the logic to enable dangerous OT manipulation.

🔒 A joint U.S. federal advisory warns that Iranian state-backed hackers have been targeting Rockwell Automation/Allen‑Bradley PLCs since March 2026, extracting project files and manipulating HMI/SCADA displays. Researcher Censys found 5,219 EtherNet/IP hosts exposed online globally, with 3,891 (74.6%) in the United States and a notable share on cellular carrier ASNs. Agencies urge disconnecting or firewalling PLCs, enforcing MFA, applying updates, disabling unused services, and monitoring OT ports and logs for suspicious overseas traffic.

🔐 A vulnerability in GPL Odorizers GPL750 controllers (CVE-2026-4436) permits a low-privileged remote attacker to send unauthenticated Modbus packets that alter register values used by the odorant injection logic, potentially causing excessive or insufficient odorant dosing in gas lines. Affected XL4/XL4 Prime/XL7/XL7 Prime firmware ranges are documented and the issue is rated CVSS 3.1 8.6 (High). Vendors provide firmware updates and installation guidance; apply updates, isolate controllers on control networks, and follow ICS security best practices.

🔒 The Cybersecurity and Infrastructure Security Agency (CISA) reports a high-severity vulnerability in Contemporary Controls BASC 20T (BASControl20 v3.1, CVE-2025-13926). An unauthenticated attacker who can sniff network traffic may forge packets to enumerate components, reconfigure, rename, delete items, perform file transfers, and invoke remote procedure calls. CISA assigns a CVSS v3.1 base score of 9.8 and notes the product is considered obsolete; users are advised to contact the vendor for guidance and to reduce network exposure.

⚠️ U.S. agencies warn that Iranian-affiliated APT actors are actively targeting Internet-exposed Rockwell/Allen-Bradley and other PLCs on networks supporting critical infrastructure sectors such as Water, Energy, and Government Services. The joint advisory from the FBI, CISA, NSA, DOE, EPA, and U.S. Cyber Command states intrusions since March 2026 have caused operational disruption, extraction of device project files, and manipulation of HMI/SCADA displays. Organizations are advised to disconnect PLCs from the Internet or protect them behind firewalls, apply the latest firmware, enable multifactor authentication for OT access, disable unused services and default keys, and monitor OT ports and logs for the advisory's indicators of compromise.

⚠ CISA warns that multiple critical vulnerabilities affect CODESYS components bundled with Festo Automation Suite, including several issues rated CVSS 3.1 9.8. Affected installations include FAS releases prior to 2.8.0.138 and FAS 2.8.0.137 when using CODESYS 3.0 or 3.5.16.10; beginning with FAS 2.8.0.138, CODESYS is no longer bundled and must be installed separately. Vendors recommend updating to CODESYS Development System 3.5.21.20, applying Festo updates, avoiding untrusted project files, and minimizing network exposure of control systems.

⚠️ Schneider Electric has disclosed a critical vulnerability affecting SCADAPack x70 RTUs (including SCADAPack 47xi, 47x, and 57x) that communicates over Modbus TCP. Exploitation could allow remote code execution, denial of service, and loss of confidentiality or integrity. Known affected products include SCADAPack 57x and RemoteConnect versions prior to R3.4.2; vendor fixes are available in RemoteConnect R3.4.2 and SCADAPack firmware 9.12.2. If immediate patching is not possible, implement network segmentation, enable the RTU firewall service, disable the logic debug service, and follow the SCADAPack security guidelines.

⚠️The UK National Cyber Security Centre (NCSC) has issued an advisory warning British organisations of an elevated risk of Iranian cyberattacks amid the ongoing Middle East conflict. While the NCSC says there is not yet a significant change in the direct threat to the UK, state‑sponsored and Iran‑linked actors likely retain some capability despite Iran’s domestic Internet blackout. Organisations with operations or supply chains in the region are urged to follow guidance on DDoS, phishing, and ICS targeting, review external attack surfaces, and increase monitoring.

🔒 Forescout's new report finds that 2025 saw a record 508 ICS advisories covering 2,155 CVEs and a notable rise in vulnerability severity. The average CVSS for advisories rose to above 8.0 in 2024–2025, with the most affected assets including Purdue Level 1 field controllers, Level 3 operational systems and control-level devices. The vendor warns that reduced CISA advisory coverage and many untracked vulnerabilities increase OT/ICS risk and calls for greater vendor accountability and industry collaboration.

🛡️ The Welker OdorEyes EcoSystem Pulse Bypass System with XL4 Controller contains an authentication vulnerability tracked as CVE-2026-24790 that permits remote influence of the underlying PLC without proper safeguards. Successful exploitation could cause over- or under-odorization events, impacting safety and process control. CISA rates this issue High (CVSS 3.1 8.2) and recommends contacting Welker, minimizing network exposure, isolating control networks, and using secure remote-access methods such as updated VPNs.

🔒A pair of vulnerabilities in EnOcean SmartServer IoT firmware (<=4.60.009) can be exploited via crafted LON IP-852 management messages to execute arbitrary OS commands or trigger memory corruption. CVE-2026-20761 (command injection) carries a CVSS 3.1 score of 8.1 and permits remote command execution; CVE-2026-22885 is an out-of-bounds read (CVSS 3.1 score 3.7) that can leak memory. EnOcean advises updating to SmartServer 4.6 Update 2 (v4.60.023) or later, and CISA recommends isolating devices, avoiding internet exposure, using secure remote access, and monitoring for suspicious activity.

🛡️ An unauthenticated attacker can exploit a path traversal vulnerability in Valmet DNA Engineering Web Tools (CVE-2025-15577) by manipulating the web maintenance services URL to obtain arbitrary file read access. The issue is an instance of Improper Limitation of a Pathname to a Restricted Directory (CWE-22) and is rated CVSS 3.1 8.6 (High). Valmet has released a fix and recommends customers contact their automation customer service for remediation assistance. CISA advises reducing internet exposure for control system devices, isolating networks behind firewalls, and applying defense-in-depth controls.

⚠️ A cyber actor compromised OT and ICS in Poland's energy sector in December 2025, affecting renewable plants, a combined heat and power facility, and a manufacturing company. Attackers gained access via vulnerable internet-facing edge devices, deployed wiper malware, destroyed HMI data, corrupted firmware, and damaged RTUs, causing loss of view and control. Production continued at some sites, but operators could not monitor or control systems as designed. Stakeholders are urged to enable firmware verification, change default credentials, and replace end-of-support edge devices.

🔒 CISA released guidance that examines why legacy industrial protocols are often insecure-by-design and why available protections are not widely adopted. Developed with OT equipment manufacturers and standards bodies, the document reports findings from interviews with asset owners and operators about motivations to secure communication and barriers they face. The guidance identifies practical, operational, and technical obstacles and offers recommendations for owners and operators and manufacturers to drive more usable, sustainable security capabilities.

🔒 CISA released Barriers to Secure OT Communications: Why Johnny Can’t Authenticate to help operational technology (OT) owners, operators, integrators, and manufacturers adopt more secure communications. Based on interviews with stakeholders across Water and Wastewater, Transportation, Chemical, Energy, and Food and Agriculture sectors, the guide explains why insecure legacy industrial protocols persist and how threat actors can impersonate devices or alter messages. It identifies practical barriers—cost and complexity, latency and bandwidth, inspection issues from encryption, and interoperability with legacy products—and offers actionable recommendations to reduce friction and improve usability when procuring, deploying, and maintaining secure OT communications.

🔍 A study by OMICRON based on multi-year deployments of its StationGuard IDS across more than 100 substations, power plants, and control centers found pervasive cybersecurity and operational shortcomings. Passive network monitoring exposed unpatched PAC devices, undocumented external connections, weak segmentation, and incomplete asset inventories—issues often visible within 30 minutes of connection. The findings emphasize the need for protocol-aware, network-level detection and automated asset discovery to meet frameworks such as IEC 62443 and NIST.

🔒 Cyble's Annual Threat Landscape Report 2025 (published Jan 15, 2026) found a sharp rise in attacks against industrial environments, with ICS vulnerability disclosures nearly doubling to 2,451 across 152 vendors in 2025. The report highlights an August spike (802 disclosures) and Q3 accounting for 45.26% of disclosures. HMI and SCADA systems were increasingly exploited, with Siemens and Schneider among the most affected vendors. Cyble warns threat actors — including ransomware groups and coordinated hacktivists — will focus on exposed HMI/SCADA and VNC takeovers in 2026.

🔒 Siemens and CISA report an authorization bypass in multiple Siemens Industrial Edge and related devices (CVE-2025-40805) that can allow an unauthenticated remote attacker who knows a legitimate user's identity to impersonate that user. Siemens has released firmware and software updates for many affected models and is preparing additional fixes. Where updates are not yet available, Siemens and CISA advise network isolation, minimizing internet exposure, use of secure remote access (VPNs), and other compensating controls to limit risk.

⚠️ Festo SE & Co. KG and CISA report that numerous Festo firmware products contain undocumented remote-accessible functions and missing port/protocol documentation, tracked as CVE-2022-3270 with a CVSS v3.1 base score of 9.8. An unauthenticated remote attacker could leverage these undocumented protocol functions to cause full loss of confidentiality, integrity, and availability. Festo intends to address the issue by updating technical user manuals in the next product versions; operators should meanwhile reduce network exposure, enforce firewalls, and use VPNs and encrypted links.

🔒 Schneider Electric disclosed vulnerabilities in EcoStruxure Power Build Rapsody that can cause memory corruption and buffer overflows when importing project (SSD) files. Two tracked issues — CVE-2025-13844 (double free, CVSS 5.3) and CVE-2025-13845 (use-after-free, CVSS 7.8) — may allow local attackers to execute code if a user opens a malicious file. Schneider released regional fixed builds; users should install the appropriate update, restart services, and follow recommended mitigations if patching is delayed.