For most of the past decade, operational technology* (OT) was treated as a slow problem. The systems that run pumps, turbines, and treatment plants were managed on engineering timescales, refreshed every few years, patched in careful maintenance windows, and largely left alone because they worked.
That assumption no longer holds. In 2026, OT risk started moving at the speed of the news cycle.
This is our read on what changed, and why it should reshape how critical infrastructure operators think about exposure, not just how they buy tools.
Key takeaways
- The character of OT risk has shifted. It used to follow engineering cycles. It now follows geopolitics, on a timescale of hours.
- Two attacks in late 2025 and 2026, one Iranian and one Russian, prove this is a pattern across hostile states, not a single-country story.
- The barrier to entry has dropped. AI-assisted reconnaissance means motivated actors with no industrial background can find exposed targets in minutes.
- The defensive work has to be done before the next conflict, because you cannot pull a controller off the internet calmly during a live attack.
What happened, briefly
On 28 February 2026, the US and Israel struck Iranian nuclear and military sites. Within hours, the scanning started. CloudSEK tracked more than 60 Iran-aligned hacktivist groups activating on Telegram, coordinating through a shared channel they called the “Electronic Operations Room.” Several went after industrial control systems* (ICS) at US critical infrastructure.
Six weeks later, on 7 April, the FBI, CISA, NSA, EPA, the Department of Energy and US Cyber Command jointly warned that Iranian-affiliated actors were actively exploiting internet-facing programmable logic controllers* (PLCs) across US water, energy and government systems. The advisory confirmed operational disruption and financial loss at multiple victims. This was the same group, CyberAv3ngers, that hit US water utilities in 2023, now exploiting a known, hard-to-patch flaw in widely deployed controllers rather than walking in through default passwords.
Here is the part that matters most. This isn’t only an Iranian story.
Two months before the strikes, on 29 December 2025, a coordinated attack hit more than 30 Polish wind and solar farms and a large heat and power plant supplying almost half a million customers. The attackers got in through vulnerable internet-facing edge devices and reused credentials, then deployed wiper malware to destroy data and damage controllers. Endpoint detection blocked the wiper at the heat and power plant before it finished, and supply held. CERT Polska tied the infrastructure to a Russia-linked group, Static Tundra, also tracked as Berserk Bear and Dragonfly.
Different country. Different malware. Same way in: an industrial system reachable from the internet, attacked at a moment of maximum geopolitical leverage. The Polish attack landed during a cold snap just before the New Year, when a heating outage would have hurt most. The timing wasn’t an accident.

Why this marks a shift, not just a bad year
It would be easy to file these as two unconnected incidents. We think that misses the shift underneath them.
OT risk used to be governed by factors inside the operator’s control: the age of the equipment, the patch backlog, the maturity of the maintenance programme. Those still matter. But they’re no longer the variables that decide when you get attacked.
In the new era, two external factors set the tempo. The first is how reachable your control systems are from the internet. The second is where your country and your sector sit relative to active conflicts. When both line up, the gap between a geopolitical event and an attack on your equipment can be measured in hours.
That changes the nature of the exposure. CloudSEK estimated more than 40,000 ICS devices reachable from the public internet in the US alone, many with weak or default credentials. A reachable controller is a standing target that does nothing dangerous on a quiet day and becomes a live objective the moment a missile lands somewhere.
The skill barrier has dropped too. In one CloudSEK demonstration, a person with no industrial background built a list of accessible US targets in under five minutes using AI tools and passive research, with no scanning or exploit kit. The pool of people who can reach OT is no longer limited to a handful of state teams. And because the recent mobilisation was driven more by ideology than central command, it’s harder to predict or contain.

Where most organisations are still thinking the old way
The mental model most operators carry into this is outdated, and it tends to fail in three places.
They treat OT as an engineering asset rather than a security one. It’s owned by operations, monitored lightly, and trusted because it has run quietly for years. That ownership gap is where exposure hides.
They model threat against their own sector and their own CVE* list, not against geopolitics. So they prepare for the threats that fit their industry and miss the ones that arrive because of who their government just bombed.
And they assume response can be improvised. It can’t. Taking a controller off the internet, segmenting a network or rebuilding from clean backups are slow, deliberate jobs. None of them work well when carried out in a panic during an active intrusion. As one practitioner put it after the Polish attack, defensive actions cannot be improvised under pressure.
How to think about it now
The shift we’d argue for is from “is it patched?” to a different pair of questions: is it reachable, and who would want to disrupt it during a crisis?
That reframing pulls OT into the security programme proper. The same disciplines that protect the IT estate- asset visibility, identity hardening, segmentation, and tested recovery- have to extend across the operational side, with someone accountable for it who sits inside security rather than only inside operations.
It also means modelling risk against the geopolitical calendar. If your country or sector is exposed to a live conflict, the working assumption should be that your reachable devices are already on a list, and that pre-positioned access may already exist inside your network. Both the Iranian and Russian campaigns involved quiet reconnaissance long before anything destructive happened.
What to actually do
None of this requires exotic capability. It requires doing the unglamorous work before it’s urgent. A few priorities hold up across both cases:

- Find and remove internet-exposed OT. Inventory every controller, remote terminal unit (RTU)*, and operator screen; remove management interfaces from the public internet; and put remote access behind a VPN with multi-factor authentication.
- Remove default and shared credentials on industrial and edge devices. Both campaigns relied on them.
- Treat your edge devices as part of the OT attack surface. They were the way in for the Polish attackers. Patch them on a real schedule and watch them.
- Back up controller configurations offline and test recovery. Wiper malware is built to make recovery slow and expensive, so the test is the control, not the backup.
- Map your threat model to geopolitics. Track the conflicts your sector is exposed to and raise readiness when tensions rise, rather than after an incident.
These are achievable for most teams. The blocker is usually organisational, not technical: OT sits outside the programme that covers everything else, and no one quite owns its security.
The bottom line
The lesson from February’s strikes and December’s wiper attack is the same. OT exposure has become a real-time geopolitical liability, and the response can’t be assembled after the trigger event.
The operators who came through 2026 in the best shape were the ones who had already taken their controllers off the internet and tested their recovery before they needed it. That’s the work, and the window to do it is always before the next conflict, not during it.
If you run OT or critical infrastructure and you can’t say with confidence what’s currently reachable from the internet, that’s the place to start.
If you operate OT or critical infrastructure and cannot state with confidence which systems are reachable, who can access them and how quickly they can be restored, that is the right place to start. ThreatScene supports organisations in identifying OT exposure, strengthening remote access and improving incident readiness across critical environments. Learn more about our approach to energy and infrastructure security.
Stay ready. Stay resilient. Stay operational.
Curated with purpose, delivered with precision | ThreatScene Team

A note on terms
*OT (operational technology): the systems that run physical processes, as opposed to IT, which runs data and communications.
*ICS (industrial control systems): the broad category of equipment that monitors and controls physical processes in plants and utilities.
*PLC (programmable logic controller): a rugged industrial computer that controls equipment directly, such as opening valves or starting pumps.
*RTU (remote terminal unit): a field device that monitors and controls remote equipment and reports back to a central system.
*CVE (common vulnerabilities and exposures): the standard reference system for publicly known security flaws.
Sources
CISA, FBI, NSA, EPA, DOE and US Cyber Command, “Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers” (Joint Advisory AA26-097A), 7 April 2026. https://www.ic3.gov/CSA/2026/260407.pdf
CISA, “IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities” (Advisory AA23-335A), December 2023. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
Tenable Research Special Operations, “What to Know About CyberAv3ngers: The IRGC-Linked Group Targeting Critical Infrastructure,” April 2026. https://www.tenable.com/blog/what-to-know-about-cyberav3ngers-the-irgc-linked-group-targeting-critical-infrastructure
CERT Polska, “Energy Sector Incident Report – 29 December 2025,” published 30 January 2026. https://cert.pl/en/posts/2026/01/incident-report-energy-sector-2025/
CISA, “Poland Energy Sector Cyber Incident Highlights OT and ICS Security Gaps” (Alert amplifying CERT Polska), 10 February 2026. https://www.cisa.gov/news-events/alerts/2026/02/10/poland-energy-sector-cyber-incident-highlights-ot-and-ics-security-gaps
CloudSEK, “AI, the Iran-US Conflict, and the Threat to US Critical Infrastructure,” March 2026. https://www.cloudsek.com/blog/ai-the-iran-us-conflict-and-the-threat-to-us-critical-infrastructure


