< ciso
brief />
Tag Banner

All news with #ot security tag

351 articles · page 5 of 18

Iran-linked PLC Attacks Disrupt US Critical Infrastructure

⚠️Six US agencies warn an Iranian-affiliated group has compromised internet-exposed programmable logic controllers at water, energy, and government facilities since at least March 2026. The actors used leased overseas infrastructure and legitimate Rockwell Automation configuration tools to access CompactLogix and Micro850 controllers. Victims suffered operational disruption, project file theft, altered SCADA/HMI data, and persistent remote access.
read more →

Iran-Backed Hackers Target US CNI via Internet-Facing OT

⚠ Iranian-affiliated threat actors have been exploiting internet-facing operational technology (OT) assets to target US critical national infrastructure (CNI) providers since late March, according to a CISA advisory. Attackers used vendor configuration tools such as Rockwell Automation's Studio 5000 Logix Designer to create accepted connections to PLCs and manipulated HMI/SCADA displays. Observed inbound traffic used ports 44818, 2222, 102, 22 and 502 and included deployment of Dropbear SSH for remote access. Agencies urge immediate log review, segmentation, and removal of direct internet exposure for PLCs.
read more →

Iran-Linked Hackers Disrupt U.S. OT Devices and PLCs

🔒 Iran-affiliated cyber actors are targeting internet-facing operational technology (OT) devices across U.S. critical infrastructure, including energy, water and government facilities. U.S. agencies warn attackers used third-party hosted infrastructure and Rockwell Automation tools to connect to CompactLogix and Micro850 PLCs, deploy Dropbear SSH, extract project files, and manipulate HMI/SCADA displays, causing degraded functionality and disruption. Organizations are advised to remove internet exposure, enforce multi-factor authentication, place firewalls or proxies in front of PLCs, disable unused features, keep devices up to date, and monitor for anomalous traffic.
read more →

US: Iranian Hackers Target Internet-Exposed PLCs Nationwide

⚠️ U.S. agencies warn that Iranian-affiliated APT actors are actively targeting Internet-exposed Rockwell/Allen-Bradley and other PLCs on networks supporting critical infrastructure sectors such as Water, Energy, and Government Services. The joint advisory from the FBI, CISA, NSA, DOE, EPA, and U.S. Cyber Command states intrusions since March 2026 have caused operational disruption, extraction of device project files, and manipulation of HMI/SCADA displays. Organizations are advised to disconnect PLCs from the Internet or protect them behind firewalls, apply the latest firmware, enable multifactor authentication for OT access, disable unused services and default keys, and monitor OT ports and logs for the advisory's indicators of compromise.
read more →

UK NCSC: APT28 Hijacks Routers to Steal Credentials Globally

🔒 The UK’s National Cyber Security Centre (NCSC) warns that Russian-linked APT28 has been compromising vulnerable SOHO routers to redirect DNS traffic through attacker-controlled servers and harvest credentials. The actor has modified a list of VPS-hosted DNS servers since 2024 and exploited models including TP-Link (notably the WR841N via CVE-2023-50224) and MikroTik. The campaigns use DHCP DNS tampering and adversary-in-the-middle techniques; the NCSC and Microsoft advise firmware updates, multifactor authentication and network hardening.
read more →

Mitsubishi Electric GENESIS64 and ICONICS Suite Fixes

🔒 CISA reports two high‑severity vulnerabilities (CVE‑2025‑14815, CVE‑2025‑14816) in Mitsubishi Electric GENESIS64, ICONICS Suite, and related products that may expose SQL Server credentials stored in local caches or displayed in the Hyper Historian Splitter GUI. Successful exploitation could enable disclosure, tampering, or denial of service on affected systems. Vendor updates are available (10.98+ for GENESIS64/ICONICS products and 11.03+ for GENESIS); administrators should disable local cache, delete cache files, prefer Windows authentication, and restrict administrative and remote access until patches are applied.
read more →

Iranian-Linked Actors Target Internet-Facing PLCs in US

🚨 CISA, the FBI, NSA and partner agencies warn that Iranian-affiliated APT actors are actively exploiting internet-facing operational technology controllers, notably Rockwell Automation/Allen-Bradley PLCs. The actors used vendor configuration software and leased overseas hosting to access exposed PLCs, extracted project files, and altered data shown on HMIs and SCADA displays, causing operational disruption and financial loss. Organizations should urgently apply the advisory's IOCs and mitigations: remove PLCs from direct internet exposure, enforce access controls and MFA, and contact vendor and federal incident contacts if targeted.
read more →

Securing Physical Systems as OT Comes Online in IT Era

🔒 Operational technology (OT) is rapidly moving online, creating new cyber-physical risks as industrial control systems connect to corporate IT. In a Fortinet Brass Tacks podcast, KPMG’s Hossain Alshedoki explains how visibility, culture, and measured extension of IT controls into OT are essential. He stresses resilience over replication of IT models, and prioritizes asset discovery before automation.
read more →

Most UK CNI Firms Face Up to £5m OT Downtime Costs

🔒 A survey by e2e-assure of 250 UK critical national infrastructure (CNI) cybersecurity decision-makers found 80% of organisations expect operational technology (OT) downtime costs between £100,000 and £5m, with 23% reporting incidents exceeding £1m and 6% above £5m. Nearly two-thirds said they fear nation-state attacks, and the vendor warned attackers commonly pivot from IT into exposed OT environments. Respondents also highlighted limited OT visibility and supply-chain risks that hinder detection, response and remediation efforts.
read more →

78% of UK Manufacturers Suffer Serious Cyber Incidents

🔒 New ESET polling of 500 senior IT, OT, operations, risk and security leaders shows 78% of UK manufacturers experienced a serious cyber incident in the past year. Most (95%) saw direct business impact and 53% reported financial losses, with supply chain disruption and missed commitments common. Respondents flagged AI-enabled attacks as the top production threat, yet only 22% assign cyber accountability to the board.
read more →

External Forces Reshaping Cybersecurity Risk Today

🔒Over the past four years organizations have been increasingly challenged by threats that originate in third-party networks, with more than 35% of breaches tied to compromised vendors or partners. International conflict, generative AI and growing supply-chain exposure are accelerating risk and extending impact to Operational Technology (OT) and IoT environments. Leaders should elevate OT risk to the board, adopt immutable 3-2-1-1 backup strategies, and establish an AI Risk Council to enforce governance and pentesting before broad AI adoption.
read more →

Critical CLI Escape in WAGO Managed Switches (CVE-2026-3587)

⚠️ An unauthenticated remote attacker can trigger a hidden CLI function in WAGO industrial managed switches to escape the restricted interface and gain full control of the device. The vulnerability is tracked as CVE-2026-3587 and classified under CWE-912. CISA rates the issue CRITICAL with a CVSS v3.1 base score of 10.0. Operators should install vendor fixed firmware or, as an interim measure, disable SSH and Telnet.
read more →

Pharos Controls Mosaic Show Controller Critical RCE

🛡️ Pharos Controls Mosaic Show Controller firmware 2.15.3 contains a Missing Authentication for Critical Function vulnerability (CVE-2026-2417) that can allow an unauthenticated attacker to execute arbitrary commands with root privileges. The flaw has a CVSS v3.1 base score of 9.8 (Critical). Pharos Controls recommends upgrading to version 2.16 or later and isolating controllers from public networks.
read more →

Schneider Electric Plant iT/Brewmaxx: Critical Redis Flaws

🔒 Schneider Electric and ProLeiT disclosed several Redis-related vulnerabilities in Plant iT/Brewmaxx that could permit privilege escalation and, in some cases, remote code execution. The issues stem from embedded Redis 8.2.1 (and earlier) instances and include use-after-free, integer overflow, and code-injection vectors. Schneider and ProLeiT recommend installing patch ProLeiT-2025-001, disabling Redis eval commands, applying secure Redis configuration templates, and restarting patched systems while following recommended ICS cybersecurity practices.
read more →

Schneider Electric Foxboro DCS Deserialization Flaw Patched

🔒 Schneider Electric has disclosed a deserialization of untrusted data vulnerability (CVE-2026-1286) impacting EcoStruxure Foxboro DCS versions prior to CS 8.1. An authenticated administrative user who opens a malicious project file could compromise confidentiality and integrity and potentially achieve remote code execution on a workstation (CVSS 3.1: 6.5). Schneider released CS 8.1 which requires FX-V3 licenses and a reboot; standard upgrade procedures apply. Until patched, follow mitigations such as restricting files to trusted sources, enforcing least privilege, and isolating DCS networks.
read more →

Water Utilities Boost Cybersecurity Through Cooperation

💧Water utilities facing aging operational systems and limited IT staff are improving cybersecurity by sharing information and coordinating responses. A two-year pilot led by the Cyber Readiness Institute and the Center on Cyber and Technology Innovation, sponsored by Microsoft, enrolled about 200 small and mid-sized utilities. The study found that combining cybersecurity training with hands-on technical assistance, stronger sector links and practical support is more effective than distributing guidance alone.
read more →

Schneider Electric Modicon M241/M251/M262 DoS Vulnerability

⚠️ Schneider Electric disclosed a CWE-404 Improper Resource Shutdown or Release vulnerability (CVE-2025-13901) affecting Modicon M241, M251, and M262 controllers that can cause a partial denial-of-service of the Machine Expert protocol when an unauthenticated actor sends a crafted payload. The issue is rated CVSS v3.1 5.3 (Medium). Vendor firmware updates (M241/M251: 5.4.13.12; M262: 5.4.10.12) are available. Until updates are applied, isolate controllers, restrict network access, and use encrypted remote connections.
read more →

EcoStruxure Automation Expert: Vulnerability and Patch

⚠️Schneider Electric has disclosed a vulnerability in EcoStruxure Automation Expert (CVE-2026-2273), a CWE-94 code injection flaw that can execute arbitrary commands on an engineering workstation when an authenticated user opens a malicious project file. The issue affects versions prior to v25.0.1 and carries a CVSS v3.1 base score of 8.2 (High). Schneider fixed the vulnerability in v25.0.1; administrators should apply the vendor update promptly or implement recommended mitigations — including restrictive file permissions, storing project files in user home directories, and verifying file authenticity — to reduce the risk of workstation and broader system compromise.
read more →

Schneider Electric Modicon Controllers XSS Advisory

🔒 CISA warns of a cross-site scripting and open redirect vulnerability (CVE-2025-13902) affecting Schneider Electric Modicon controllers M241, M251, M258, and LMC058. Successful exploitation may enable account takeover or arbitrary JavaScript execution in a user's browser. Schneider provides firmware 5.4.13.12 for M241 and M251 via EcoStruxure Machine Expert v2.5.0.1; M258 and LMC058 currently require mitigations. No known public exploitation has been reported.
read more →

Mitsubishi Electric CNC Series: Out-of-Bounds Read Issue

⚠️ A vulnerability (CVE-2025-2399) in Mitsubishi Electric CNC Series can be exploited remotely to trigger an out-of-bounds read and cause a denial-of-service by sending specially crafted packets to TCP port 683. A range of M800, M80, M70, E70/E80, C80 and NC Trainer models are affected. Mitsubishi Electric has published fixed firmware builds (BC or later, FN or later depending on model); users should contact their vendor representative to obtain and apply updates. If immediate updates are not possible, the vendor recommends restricting network exposure, firewalling, using VPNs, enabling IP filters where available, and limiting physical and network access.
read more →