CloudSEK researchers have documented how artificial intelligence has fundamentally collapsed the barrier to targeting industrial control systems, compressing what once required weeks of specialist knowledge into a five-minute reconnaissance workflow.
The findings come as the 28 February 2026 US-Israel strikes against Iran triggered the largest single-event activation of Iranian-aligned cyber actors ever documented, with over 60 hacktivist groups mobilising within hours – many without deep ICS expertise, but now equipped with AI tools that make that expertise unnecessary.
Key Findings
- CloudSEK identified 40,000+ internet-exposed US industrial control systems immediately discoverable using AI-assisted reconnaissance – and confirmed that a passive five-minute workflow using free tools can identify live devices, retrieve default credentials, map accessible interfaces, and enumerate CVEs without authenticating to or probing a single system.
- OpenAI confirmed in October 2024 that Iranian-affiliated actors (CyberAv3ngers) used ChatGPT to conduct ICS reconnaissance, querying default credentials for industrial devices, generating Shodan search strings, and requesting automation scripts – one of the first documented use of a commercial LLM by a state-affiliated actor against critical infrastructure.
- More than 60 Iranian-aligned hacktivist groups mobilised within hours of the 28 February 2026 strikes. The death of Supreme Leader Khamenei disrupted IRGC command structures, removing the political constraints that historically governed Iranian cyber targeting. Proxy and hacktivist groups now operate without accountability for civilian harm.
- US government reporting confirms 75+ US ICS devices were compromised in campaigns linked to the same threat ecosystem, including 34+ in the Water and Wastewater sector. The 2023 Aliquippa water plant compromise – forced onto manual operations by a default password – is the documented template these groups are replicating.
- Internet exposure across OT and ICS environments is worsening: 35% year-on-year growth in exposed systems and a 160% surge in Unitronics port 20256 exposure, despite two years of CISA advisories following the Aliquippa attack (ReliaQuest, H1 2025).
Why This Matters
The real shift is not in malware sophistication. It is in speed, scale, and accessibility. AI is enabling less technically mature actors to perform ICS reconnaissance that once required years of specialist knowledge.
In a conflict environment where over 60 groups are simultaneously activated and seeking accessible targets, AI compresses the cycle from intent to impact.
CloudSEK researchers reproduced the AI-assisted reconnaissance chain as a passive research exercise, mirroring the confirmed methodology. Following the same process, researchers identified multiple live instances of unauthenticated, internet-exposed ICS systems with direct operational impact potential.
CloudSEK notes that the passive nature of this research, standard HTTP requests against publicly indexed systems, is indistinguishable from what a threat actor would perform.
The cyber fallout from the Iran-US conflict is not limited to advanced state-linked operators. Loosely aligned hacktivists and proxy actors can now use AI-assisted workflows to identify and prioritise exposed industrial assets in real time, increasing the risk of opportunistic disruption to water treatment, energy distribution, fuel management, and manufacturing operations.
The same 28 February window also saw OpenAI confirm a partnership with the US Department of Defense, triggering a 295% spike in ChatGPT app uninstalls (Sensor Tower via TechCrunch). As commercial AI platforms face governance pressure around military use, threat actors migrate to unconstrained alternatives. The safety guardrails that limited CyberAv3ngers on ChatGPT in 2024 are a floor, not a ceiling.
Immediate Defensive Priorities
CloudSEK recommends that organisations urgently:
- Remove ICS management interfaces from the public internet immediately and place them behind VPN. This single action eliminates the AI-assisted passive reconnaissance attack path entirely.
- Change default credentials on all deployed ICS devices. The Unitronics default password 1111 is in a vendor manual, in CISA Advisory AA23-335A, and in active use on internet-exposed devices today.
- Block industrial protocol ports at the perimeter: TCP 20256, 102, 502, 44818, 1911 and UDP 47808 have no legitimate reason to be directly internet-accessible.
- Audit all third-party remote access to OT environments. IT managed service providers with tools on OT networks are confirmed entry points for supply chain attacks.
CloudSEK’s findings are based on passive reconnaissance of publicly indexed information and exposed web interfaces, without logging into or actively probing any system.
You can read the research here: AI, the Iran-US Conflict, and the Threat to US Critical Infrastructure | CloudSEK
Today Is International Women’s Day
Posted in Commentary on March 8, 2026 by itnerdInternational Women’s Day 2026 is being celebrated today under the theme “Give To Gain,” emphasizing support, collaboration, and gender equality. Since this is a tech blog, I reached out to a pair of women in tech to get their views on this important day.
Margaret Hoagland, VP, Global Sales & Marketing, SIOS Technology
“On International Women’s Day, we honor the courage of women like Anita Hill, Ruth Bader Ginsburg, and Malala Yousafzai—whose bravery and sacrifice reshaped the future for women everywhere. Their leadership expanded rights, opportunity, and voice. But progress is not permanent. Without our continued vigilance and action, the gains they fought for can be eroded. Let us honor their legacy not only with words, but with sustained action to protect and advance equality for the next generation.”
Betsy Doughty, Vice President of Partner Marketing, Hammerspace
Gender equality advances when we choose to build it – deliberately, consistently, and together. Throughout my career, whether leading employee resource groups, running WILD (Women Inspiring Leadership Development), mentoring women at CU Leeds, or learning from mentors myself, I’ve seen that progress doesn’t happen by accident; it happens through intentional connection. The theme Give to Gain reflects what I’ve experienced firsthand: when we give time, advocacy, and opportunity, we gain perspective, growth, and stronger communities in return. What I’ve experienced firsthand is that when we give time, advocacy, and opportunity, we gain perspective, growth, and stronger communities in return. Nowhere is that more evident than in mentorship and networking, and particularly women learning from other women.
Mentorship changed everything for me. Early in my career, mentors recognized my potential before I could articulate it myself. They listened, advocated, and created opportunities that altered my trajectory. They showed me that great mentors don’t hold talent in place – they help it move forward. Over time, I stepped into mentoring roles of my own, offering guidance, opening doors, and supporting women at pivotal moments in their careers. What surprised me most was how much I gained in return: clarity, self-reflection, fresh perspective, and the privilege of watching confident, capable leaders emerge. You don’t need to be at the peak of your career to mentor; you simply need to share what you’ve learned so far.
Networking plays a similarly powerful role. For women, especially, access to networks builds visibility, confidence, and a sense of belonging. Creating intentional spaces for connection fosters shared language around growth and leadership, turning individual success into collective momentum. For me, Give to Gain is not an abstract idea—it’s a lived experience. Every time we choose to lift one another as we climb, we strengthen not just individual careers, but the foundation for lasting gender equality.
Leave a comment »