CloudSEK today released a threat landscape assessment warning that more than 60 hacker groups mobilised within hours of the February 28, 2026 Iran–US military escalation — and that tens of thousands of US industrial control systems remain directly reachable from the internet, many with no authentication beyond a factory-default password.
The report, “A Threat Actor Landscape Assessment of ICS/OT Targeting in the 2026 Iran–US Conflict,” identifies a two-tier threat ecosystem: nation-state APTs pre-positioned inside US networks for years, and a fast-expanding pool of state-backed hacktivist proxies that need nothing more than an exposed device and a motivation to cause national-headline disruption.
CloudSEK’s report finds that the industrial attack surface remains exposed at scale. In the United States alone, researchers identified approximately 182.2K internet-exposed industrial and automation-related assets (including both live and historically observed systems). Many of these were found to be actively reachable and exposed without authentication.
The exposure is not limited to the U.S.: Israel recorded around 104.9K such assets, while the United Kingdom showed roughly 88.8K exposed assets. CloudSEK notes that these listings represent industrial or automation-related devices observed on the public internet, underscoring the scale of potential targeting during periods of geopolitical escalation.
Key highlights from the report
- Rapid mobilization after escalation: CloudSEK observed a sharp rise in hacktivist and proxy activation following February 28, increasing the volume of actors scanning for high-visibility infrastructure targets.
- Exposure at scale across industrial protocols: The report identifies large volumes of internet-reachable industrial services in the US, across widely used ICS/OT and automation protocols and platforms — indicating that many operational environments remain discoverable from the public internet.
- Three primary routes from discovery to impact:
- Direct access to exposed industrial interfaces (often enabled by weak/default credentials)
- Phishing and compromise of OT-adjacent users and vendors (engineering workstations, operators, third-party access)
- Enterprise IT compromise followed by lateral movement into OT, allowing adversaries to pre-position access and activate during crisis windows
- Basic weaknesses continue to enable real-world compromise: The report underscores that industrial incidents often stem from long-standing issues — internet exposure, unsecured remote access, and default credentials — rather than rare, highly advanced exploits.
- Operational risk is physical by design: Unlike purely digital attacks, ICS/OT compromise can affect physical processes, making disruption potentially immediate and safety-relevant.
Why default access and exposed interfaces remain a critical risk
CloudSEK’s assessment notes that many industrial environments remain vulnerable because exposed devices and interfaces can be identified quickly through standard internet scanning. In such cases, attackers may not need to exploit software vulnerabilities — they only need to find an exposed system and gain access using weak or default authentication.
This dynamic becomes more dangerous during periods of escalation, when some actors prioritise visibility and disruption over stealth.
Recommended actions for operators and defenders
CloudSEK urges critical infrastructure owners and operators to prioritise immediate, practical defensive measures:
- Remove ICS/OT management interfaces from the public internet wherever possible; enforce VPN-only access for remote operations
- Eliminate default credentials and strengthen authentication on industrial devices and management consoles
- Restrict industrial protocol exposure at the perimeter and shut down unnecessary remote-access services
- Audit and limit third-party remote access into OT environments (MSPs/RMM tools, vendor pathways)
- Improve monitoring and logging in OT-adjacent environments to detect unauthorised access and lateral movement early
Related
This entry was posted on March 5, 2026 at 4:14 pm and is filed under Commentary with tags CloudSEK. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Iran–US Escalation Heightens Risk to Industrial Systems: CloudSEK
CloudSEK today released a threat landscape assessment warning that more than 60 hacker groups mobilised within hours of the February 28, 2026 Iran–US military escalation — and that tens of thousands of US industrial control systems remain directly reachable from the internet, many with no authentication beyond a factory-default password.
The report, “A Threat Actor Landscape Assessment of ICS/OT Targeting in the 2026 Iran–US Conflict,” identifies a two-tier threat ecosystem: nation-state APTs pre-positioned inside US networks for years, and a fast-expanding pool of state-backed hacktivist proxies that need nothing more than an exposed device and a motivation to cause national-headline disruption.
CloudSEK’s report finds that the industrial attack surface remains exposed at scale. In the United States alone, researchers identified approximately 182.2K internet-exposed industrial and automation-related assets (including both live and historically observed systems). Many of these were found to be actively reachable and exposed without authentication.
The exposure is not limited to the U.S.: Israel recorded around 104.9K such assets, while the United Kingdom showed roughly 88.8K exposed assets. CloudSEK notes that these listings represent industrial or automation-related devices observed on the public internet, underscoring the scale of potential targeting during periods of geopolitical escalation.
Key highlights from the report
Why default access and exposed interfaces remain a critical risk
CloudSEK’s assessment notes that many industrial environments remain vulnerable because exposed devices and interfaces can be identified quickly through standard internet scanning. In such cases, attackers may not need to exploit software vulnerabilities — they only need to find an exposed system and gain access using weak or default authentication.
This dynamic becomes more dangerous during periods of escalation, when some actors prioritise visibility and disruption over stealth.
Recommended actions for operators and defenders
CloudSEK urges critical infrastructure owners and operators to prioritise immediate, practical defensive measures:
Share this:
Like this:
Related
This entry was posted on March 5, 2026 at 4:14 pm and is filed under Commentary with tags CloudSEK. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.