Attackers Don’t Need ICS Malware: Lessons from High-Profile OT Security Incidents in 2026
Security teams responsible for operational technology tend to plan for the sophisticated scenario: custom Industrial Control System (ICS) malware, zero-day exploits, and adversaries with deep protocol knowledge. The incidents making headlines tell a different story. In case after case, attackers reached industrial control systems through weak or default passwords, remote access tools exposed to the internet, and networks with no meaningful separation between IT and OT.
Three recent threads illustrate the pattern, and each one points to the same set of fixable gaps.
Water Systems Remain a Favorite Target, and the Entry Points Are Basic
Threat intelligence published in June 2026 by DomainTools examined attacks on water and wastewater systems going back to 2024, attributed to state-aligned groups from Iran, Russia, and China. The motivations differ across those actors, ranging from opportunistic disruption to long-term prepositioning, but the access techniques are strikingly consistent: exposed programmable logic controllers (PLCs) and human-machine interfaces (HMIs), weak authentication, compromised remote access, and poor segmentation between the OT and IT sides of the network.
Intelligence officials in Poland reported that attackers breached five water treatment plants in a single year, mainly through weak and default passwords and control systems exposed to the internet. The researchers also documented intrusions that started in billing systems, customer portals, and SCADA-adjacent servers rather than in the control systems themselves. The lesson for defenders is that every connected asset on the network is a potential path to operational systems, whether or not it looks operational.
As the DomainTools researchers put it, state actors do not need custom ICS malware to create risk. Criminal and unattributed incidents demonstrate the same weaknesses a more patient adversary could exploit with greater intent.
Muleshoe, Texas: An HMI, a Login, and Tens of Thousands of Gallons
In January 2024, attackers accessed the remote industrial interface at a municipal water facility in Muleshoe, Texas, and caused a water storage tank to overflow for 30 to 45 minutes before operators regained control by switching the tank to manual operation and isolating the compromised machine. A nearby facility in Abernathy was hit the same way, and officials in two other nearby towns, Lockney and Hale Center, confirmed attempted intrusions into their water utilities’ SCADA systems in the same window. The group that claimed responsibility, Cyber Army of Russia Reborn, posted a video of the HMI manipulation to a public forum, and the US Treasury Department later sanctioned two of its members for the operations.
The details matter more than the attribution. The US Treasury noted that major damage was avoided largely because of the attackers’ lack of technical sophistication, not because of any control that stopped them. The intrusion succeeded because an industrial interface that should never have been reachable from the internet was reachable from the internet, and the credentials protecting it did not hold. Tens of thousands of gallons of water were lost from what amounted to a login, and the recovery depended on operators physically taking the system out of remote control, a fallback that works for a water tank and does not generalize to every OT environment.
For small and mid-sized utilities, this is the realistic threat model. The adversary is not writing PLC exploits. The adversary is finding the HMI you forgot was exposed.
Oldsmar, Florida: Whatever Happened, the Environment Was the Problem
The 2021 incident at the Oldsmar water treatment plant was initially reported as a remote attacker raising sodium hydroxide levels in the water supply from 100 parts per million to 11,100 before an operator caught the change and reversed it. Years later, the former city manager stated the incident was operator error rather than an external hack, and the FBI never publicly confirmed an intrusion.
Both versions of the story carry the same warning. Investigators and state advisories documented that the plant’s computers shared a single password for remote access, sat on the internet without a firewall, and ran an operating system that had reached end of support. Whether the person at the keyboard that day was an attacker or an employee, the environment offered no way to know, no way to limit what a remote session could touch, and no barrier between remote access and the controls that adjust chemical levels in drinking water.
That is the deeper point for security leaders: an environment where a single remote session can reach safety-relevant controls is a finding in itself, before any incident occurs.
The Popa Botnet: When Everyday Devices Become Attacker Infrastructure
The third thread widens the lens. In July 2026, the FBI seized hundreds of domains tied to NetNut, a commercial residential proxy service, and the associated Popa botnet, a network of at least two million compromised devices. The devices were not servers or workstations. They were smart TVs and low-cost streaming boxes in people’s homes, quietly turned into proxy nodes that cybercriminals and espionage groups rented to disguise the origin of password-spraying, account-takeover, and scraping traffic. Google’s Threat Intelligence Group observed 316 distinct threat actor clusters using the network’s exit nodes in a single week.
Research cited in the takedown coverage found that 42 percent of apps available for LG smart TVs, and more than a quarter of apps for Samsung’s platform, include software components that enroll the television in a residential proxy network. Once a device becomes an exit node, unauthorized traffic flows through it, and the attackers behind that traffic can reach other devices on the same local network.
For enterprise defenders, the takeaway is not about televisions. It is that huge populations of unmanaged connected devices are being conscripted into attack infrastructure at scale, and that the traffic hitting your perimeter increasingly originates from inside ordinary networks. Any environment with unmanaged IoT, OT, IoMT, or IT devices on shared network segments is exposed to the same dynamic from the inside: one compromised device becomes a foothold, and a flat network turns a foothold into reach.
The Common Thread Is the Gap Between Seeing and Enforcing
Across all of these incidents, the failures are not exotic:
- Devices no one was watching. Exposed HMIs, forgotten remote access software, and consumer-grade hardware on production networks. You cannot protect an asset you have not inventoried, and you cannot judge risk on a device whose services, connections, and firmware you cannot see.
- Credentials as the only control. Shared passwords and default logins standing between the internet and physical processes. When authentication is the single barrier, one phished or guessed credential is the whole game.
- Networks with no interior walls. Once inside, attackers moved from IT systems to operational controls, or from one home device to its neighbors, because nothing on the network said no. Segmentation is what turns a compromised device into a contained incident instead of a plant-wide one.
Most organizations already know this. Industry data backs up the gap between intent and execution: in Cisco’s 2025 Segmentation Report, 79 percent of organizations named segmentation a priority while only 33 percent had fully implemented it. Segmentation stalls not because teams doubt its value but because they lack the device-level context to write enforcement policies they trust, and because the fear of breaking a production process, a clinical workflow, or a water treatment operation vetoes action. In OT environments, where uptime is the mission, that fear is rational.
Closing the Gap Without Betting the Plant
This is the problem Asimily was built to solve across IoT, OT, IoMT, and IT environments. It starts with a complete, agentless inventory that identifies every connected device, its services, and its connections, captured safely and without disrupting operations. Asimily’s ATT&CK Analysis then determines which vulnerabilities are actually exploitable on each specific device in its specific environment, so teams work the short list that drives real risk rather than a generic queue based solely on vulnerability severity.
From there, Asimily’s Segmentation Orchestration turns that intelligence into enforced policy. Policy Auto-Recommendation identifies where to begin. Policy Creation generates policies in the format(s) your existing enforcement infrastructure expects. And Policy Simulation previews exactly which devices and connections a policy would affect, validated against real observed traffic, before anything deploys. That preview is what removes the operational fear that keeps segmentation stuck at “priority” instead of “implemented.” Continuous Segmentation then keeps policies aligned as devices are added, patched, moved, and retired, so enforcement never drifts behind the network it protects.
The attackers in these incidents did not do anything advanced. They found unwatched devices, weak credentials, and flat networks. Those are conditions a security program can eliminate, deliberately and without disruption, starting with the riskiest devices first.
See how Segmentation Orchestration from Asimily works.
Related: How Poor Device Visibility Undermines Segmentation in Connected Environments
Related: Introducing Segmentation Orchestration: AI-Driven Proactive Segmentation
Secure Every IoT Device.
Automatically.
Cyber threats move fast — so should you. Asimily gives instant inventory and smart, prioritized risk mitigation insights for every IoT, OT, and IoMT device — so you can take action before threats strike.