IoT/OT Cybersecurity: Critical Threats in 2026

In April 2026, CISA issued a wave of Industrial Control System (ICS) advisories flagging critical vulnerabilities in Honeywell, Mitsubishi Electric, Delta Electronics, and rail communication protocols. At the same time, AVTECH IP cameras deployed across financial institutions, hospitals, and transportation hubs are being actively exploited to propagate Mirai-based botnets. The message is unambiguous: IoT/OT security has moved from a niche concern to a mainstream enterprise risk, and the attackers know it.

Unlike IT environments, Operational Technology (OT) networks present a unique challenge for defenders. Hardware lifecycles span 15 to 30 years. Industrial protocols like Modbus, DNP3, and PROFINET were designed for reliability, not security. Many PLCs and RTUs still ship with default credentials that are never changed post-deployment. And the operational reality of industrial environments means patches are often deferred indefinitely: you cannot take a production line offline at will.

The result is a growing attack surface that combines the accessibility of IT networks, increasingly interconnected with OT, with the physical consequences of OT compromise: production downtime, equipment damage, and in the most severe cases, risk to human life.

The 2026 IoT/OT Threat Landscape

Multiple reports and government advisories published in April 2026 paint a consistent picture of escalating IoT/OT risk.

The OT-ISAC has consolidated an advisory covering critical vulnerabilities across industrial control and management systems. Attack paths range from unauthenticated network access to management-plane abuse, local credential disclosure, and malicious file handling in engineering workstations. The common thread is low-to-moderate attacker sophistication: these are not zero-day exploits requiring nation-state resources. They are standard techniques applied to systems that were never hardened.

Forescout's 2026 ICS Cybersecurity Report highlights three structural reasons why the OT attack surface keeps expanding:

• IT/OT convergence: integrating industrial networks with corporate systems for remote monitoring and analytics creates direct bridges between frequently compromised IT networks and the OT core.
• Industrial IoT (IIoT) expansion: the proliferation of connected sensors, smart meters, PLCs, and actuators multiplies potential entry points dramatically.
• Legacy remote access: VPN and remote desktop deployments installed during the pandemic remain active with outdated configurations and weak credential hygiene.

CISA's April 2026 ICS advisories covering Honeywell, Mitsubishi Electric, Delta Electronics, and rail signaling systems urge critical infrastructure operators to apply mitigations immediately. No active exploitation was confirmed for these advisories at publication time, but the window between CVE disclosure and weaponized exploitation in ICS has narrowed significantly in recent years.

Critical ICS/SCADA Vulnerabilities: April 2026 Advisories

The most actionable threats this month include several widely deployed platforms:

Delta ASDA-Soft and Delta GENESIS64: vulnerabilities in project file handling enable a low-complexity attack path. An attacker with network access can craft a malicious project file that, when opened by an operator, executes arbitrary code on the engineering workstation. This is a well-documented technique mapped to MITRE ATT&CK for ICS T0873 (Project File Infection), and its low complexity significantly widens the range of actors capable of exploiting it.

Mitsubishi GENESIS64 and ICONICS Suite: shared underlying components expose cached credentials to attackers with local or adjacent network access. Once credentials are recovered, an attacker can pivot to the PLCs and actuators managed through these platforms, reaching deep into the OT network without needing to exploit any additional vulnerability.

Honeywell management platform: vulnerabilities in energy and utilities sector deployments affect the management plane. Full technical details are not publicly available, but the criticality rating and sector involvement justify treating these as high-priority patches regardless of the disclosure level.

AVTECH IP cameras (active exploitation): this is the most immediate threat in the advisory bundle. AVTECH cameras are being actively recruited into Mirai-based botnets across finance, healthcare, and transportation environments. Beyond the DDoS impact, a compromised camera inside a critical facility is a persistent reconnaissance platform for targeted follow-on attacks, giving adversaries eyes inside the perimeter before any destructive phase begins.

Gardyn Home Kit: CISA issued a separate advisory about critical vulnerabilities in smart agricultural IoT devices that allow unauthenticated remote control. While the direct critical infrastructure impact is limited, it illustrates how consumer IoT with minimal security assumptions lands in operational environments, and why asset inventory is a non-negotiable starting point for any OT security program.

MITRE ATT&CK for ICS: How Attackers Move from IT to OT

The MITRE ATT&CK for ICS framework documents 12 tactics and 83 techniques observed in real attacks against industrial control systems, including Industroyer, TRITON/TRISIS, and Sandworm operations against electrical infrastructure. It is the foundation of any credible OT threat modeling exercise, and the standard language for red team and blue team communication in industrial security.

The attack chain in modern IoT/OT intrusions follows a recognizable progression:

Initial Access typically begins in IT. Attackers use compromised credentials or vulnerabilities in internet-facing applications to gain a foothold in the corporate network, then pivot through engineering workstations or historian servers that bridge both networks. The IT and OT phases are modeled using enterprise ATT&CK and ICS ATT&CK respectively, with the pivot being the critical transition point.

Discovery in the OT zone uses passive enumeration to avoid triggering process monitoring alerts. Techniques T0846 (Remote System Discovery) and T0888 (Remote System Information Discovery) map PLCs, RTUs, HMIs, and network topology before any active exploitation. Attackers often spend weeks in passive discovery before acting.

Lateral Movement exploits T0812 (Default Credentials), by far the most prevalent weakness in OT environments. Default credentials on PLCs, HMIs, and network equipment allow rapid propagation once inside the OT network. The April 2026 OT-ISAC advisory explicitly cites weak authentication as a root cause across multiple affected products.

Execution and Persistence: once on an engineering workstation, attackers can deploy T0873 (Project File Infection) to inject malicious logic into PLC programs, achieving persistence that survives hardware reboots and operator-initiated restarts. This is how the Industroyer malware sustained its grip on the Ukrainian power grid.

Impact: OT attackers typically pursue one of three outcomes: T0831 (Manipulation of Control) to cause physical damage, T0813 (Denial of Control) to halt operations, or T0882 (Theft of Operational Information) for industrial espionage. The TRITON/TRISIS attack against Safety Instrumented Systems (SIS) remains the starkest example of an adversary targeting the last line of defense designed to prevent catastrophic industrial accidents.

Running Red Team exercises that include the full IT/OT pivot is the most realistic way to validate whether your detection and containment capabilities can stop an attacker before they reach the operational layer.

High-Risk Sectors and Real-World Impact

The sectors most exposed to IoT/OT attacks in 2026 map directly to the NIS2 Directive's definition of essential entities:

Energy and utilities: power grid operators, renewable generation plants, and water distribution systems rely on SCADA and ICS to manage critical physical infrastructure at scale. Rapid digitalization has created attack surfaces that did not exist five years ago, often without corresponding investment in OT security.

Advanced manufacturing: Industry 4.0 has connected entire production lines to corporate networks. A targeted attack against an automated manufacturing line carries immediate economic impact and can endanger floor personnel. The convergence is often pushed by efficiency goals with security treated as an afterthought.

Transportation and logistics: rail signaling, airport ground systems, and port management rely on legacy industrial protocols with minimal authentication. CISA's April 2026 advisories on rail communication protocols make this sector an explicit priority for remediation efforts.

Healthcare: hospitals operate large fleets of medical IoT devices, including patient monitors, diagnostic imaging systems, and infusion pumps. CISA confirms AVTECH cameras have been compromised in healthcare environments, giving attackers persistent presence inside clinical networks where patient safety systems are also connected.

Smart agriculture: the Gardyn advisory signals an emerging IoT risk category where cybersecurity awareness is virtually absent. Devices are deployed with factory-default configurations, connected to operational networks, and never patched across their multi-year lifespans.

The average cost of an OT security incident in 2026 ranges from €1.5M to €5M when production downtime, regulatory penalties, and reputational damage are factored in. This figure changes the calculus on security investment for most organizations operating industrial infrastructure.

What a Professional IoT/OT Security Audit Covers

Auditing OT environments requires a methodology fundamentally different from web application or IT infrastructure pentesting. Systems cannot be interrupted. The wrong packet at the wrong time can halt a production process or trigger a safety shutdown with real physical consequences. The approach must start passive, escalate gradually, and always operate within explicit change windows agreed with the client.

Secra's IoT/OT security audit follows a five-phase structured methodology built around the operational constraints of industrial environments:

Phase 1: asset inventory and mapping. We identify every IoT/OT device in scope: PLCs, RTUs, HMIs, sensors, actuators, and SCADA servers. Many organizations discover undocumented assets during this phase, devices connected to the network that no one is actively monitoring or patching, which is itself a critical risk.

Phase 2: architecture and segmentation analysis. We evaluate IT/OT network separation, identify undocumented bridges, and analyze industrial firewall rules. Absent or misconfigured IT/OT segmentation is the single most common root cause of OT compromise following an IT intrusion.

Phase 3: non-intrusive vulnerability assessment. We perform passive protocol analysis (Modbus, DNP3, IEC 61850, PROFINET, EtherNet/IP) to identify exposed services and authentication weaknesses before any active scanning. This phase alone frequently surfaces critical findings with zero risk to operations.

Phase 4: controlled testing. With explicit client sign-off and within agreed maintenance windows, we perform authentication testing, firmware analysis, and configuration validation on IoT/OT devices. Every test is scoped and reversible.

Phase 5: reporting and remediation. We deliver an executive summary and a detailed technical report with findings classified by CVSS score, a prioritized remediation plan, and hardening recommendations adapted to the specific industrial environment. Recommendations account for the operational constraints of OT, not just security best practice.

NIS2 and IEC 62443: The Regulatory Imperative

NIS2 extends cybersecurity obligations to sectors previously outside its scope: manufacturing, food production, medical device manufacturing, and waste management. For all of them, OT and IoT security is now a legal requirement, not an optional investment.

The international gold standard for industrial cybersecurity is IEC 62443, the standard series for Industrial Automation and Control System (IACS) security. Its controls map directly to NIS2 obligations:

• IEC 62443-2-1 covers the security management program required by NIS2's risk management mandate for essential entities.
• IEC 62443-3-2 defines the risk assessment methodology NIS2 requires at the system level.
• IEC 62443-3-3 sets the technical security requirements for control systems and their components.

A Secure-by-Design approach implemented during system design or procurement reduces ongoing security management costs by approximately 30% compared to retrofitting security post-deployment, based on data published in 2026. The earlier OT security is addressed in the asset lifecycle, the lower the total cost and the lower the regulatory exposure.

NIS2 penalties for essential entities reach €10M or 2% of global annual turnover, a figure that reframes the cost of a professional OT security assessment considerably. Secra's GRC consulting team can map your current OT security posture against IEC 62443 and NIS2, identifying compliance gaps before a regulator or an attacker does.

Connected Infrastructure Demands Connected Security

The April 2026 CISA advisories, the active exploitation of AVTECH cameras, and the vulnerabilities in GENESIS64 and ICONICS Suite are not isolated events. They are data points in a consistent trend: IoT/OT environments are being targeted at scale, by attackers with increasingly accessible tooling, against systems built for operational reliability rather than security.

Every month without a clear OT asset inventory, a validated IT/OT segmentation policy, and regular security assessments represents unquantified risk accumulating in your infrastructure. The organizations that avoid major OT incidents are those that made visibility and testing a priority before an incident forced the issue.

If you manage IoT/OT infrastructure and want to understand your real exposure, contact Secra for a no-cost discovery session. We will identify the most critical risk areas in your environment and help you define a practical roadmap toward IEC 62443 compliance and NIS2 readiness.