Critical Infrastructure Sector Edition — June 2026
1. Sector snapshot
The dominant strategic risk to Indian critical infrastructure is no longer disruptive ransomware alone but quiet, long-dwell pre-positioning in operational technology (OT). Dragos's 2026 OT/ICS Year in Review (published 17 Feb 2026) reported ransomware groups impacting industrial organisations rose 49% year-on-year (119 groups in 2025 versus 80 in 2024), and that the China-nexus group it tracks as VOLTZITE (public name: Volt Typhoon) continued embedding for long-term persistence in strategic utilities, advancing from IT data theft to directly interacting with OT-connected devices and engineering workstations. The lesson for Indian generation, transmission and load-despatch operators: assume reconnaissance precedes impact by months.
2. Threats targeting the sector
Pre-positioning in electric/water OT by China-nexus actors (no single CVE; living-off-the-land) — Dragos reported VOLTZITE maintained persistence in US electric, oil-and-gas and water networks through 2025 using native tooling, compromising cellular gateways and pivoting to engineering workstations; a new access broker, SYLVANITE, hands footholds to VOLTZITE for deeper OT intrusion. Exposed: Indian power and water utilities with internet-exposed cellular gateways, routers and HMIs. Action: Hunt for anomalous admin logons and credential reuse on IT/OT boundary devices; assume no malware signature. Source (with date): Dragos / Industrial Cyber, 17 Feb 2026.
Control-loop mapping reconnaissance — Dragos observed the KAMACITE group systematically map control loops across US infrastructure from March to July 2025, scanning HMIs, variable-frequency drives, metering modules and cellular gateways. Exposed: SCADA HMIs and VFDs reachable from enterprise or internet zones. Action: Validate Purdue-model segmentation; alert on protocol scans crossing zone boundaries. Source (with date): Dragos OT Report, 17 Feb 2026.
GNSS/GPS spoofing against aviation and PNT — Coordinated GPS spoofing and GNSS interference affected multiple major Indian airports; analysts characterised it as probing that "bears the hallmarks of a rogue nation state" (no specific country confirmed) and called for NavIC integration and anti-jam/anti-spoof defences. Exposed: Aviation approach navigation and any infrastructure relying on GPS for precise timing (telecom core, grid synchrophasors). Action: Inventory GPS-timing dependencies; deploy holdover/secondary timing and report events under the DGCA GNSS-interference SOP. Source (with date): BankInfoSecurity, 5 Dec 2025.
Substation protection-relay denial-of-service (CVE-2025-2403) — A flaw in Hitachi Energy Relion 670/650 and SAM600-IO from improper prioritisation of network traffic over the protection mechanism can cause critical functions (e.g., line-distance communication) to malfunction. Exposed: Transmission substations running affected Relion firmware. Action: Apply vendor mitigations; restrict device network access to trusted engineering paths. Source (with date): CISA ICS advisory, 2025 (standing exposure).
3. Sector tech and exposures
The recurring weakness is unauthenticated industrial-protocol exposure. The Aug-Sep 2025 CISA ICS advisory set documented missing MODBUS/TCP authentication permitting unauthorised read/write or halt of devices (CVE-2025-7405, Mitsubishi MELSEC iQ-F), cleartext credential transmission over SLMP (CVE-2025-7731), and privilege-escalation paths in RTU platforms (CVE-2025-8453, Schneider Saitel). Internet-exposed Modbus devices and unauthenticated IEC 60870-5-104 substation gateways remain a common Indian configuration pattern - the same protocol class weaponised by Industroyer2. DNP3 masters and synchrophasor links dependent on GPS timing extend the blast radius into PNT.
4. Regulatory and compliance watch
- Telecom compliance rationalisation (May 2026): MeitY/CERT-In and the Department of Telecommunications began discussions and formed a working group to streamline overlapping audit/reporting duties; the six-hour breach-reporting and two-year log-retention obligations under the Telecom Cybersecurity Rules, 2024 remain unchanged. (Indian Infrastructure, 26 May 2026.) - Power sector (CEA): Draft CEA (Cyber Security in Power Sector) Regulations, 2025 are in finalisation - mandating CISO/alternate-CISO appointments and six-hour incident reporting to CSIRT-Power for all generation, transmission, distribution, exchange and load-despatch "Responsible Entities." (KSandK / SolarQuarter, Dec 2025.) - CII governance: NCIIPC remains the nodal protector for energy, banking, telecom and transport; analysis in May 2026 urged device certification (STQC) and secure indigenous technology under Atmanirbhar Bharat. (NextIAS, 27 May 2026.)
5. Actor in focus
VOLTZITE / Volt Typhoon (China-nexus) - Confidence: HIGH (public attribution by Dragos, CISA and multiple vendors). Tradecraft is living-off-the-land for stealth, multi-year dwell, and a documented 2025 advance toward OT device and engineering-workstation interaction. The 2026 emergence of SYLVANITE as a dedicated access broker shortens the path from initial access to OT. For India, the relevance is doctrinal: a capability optimised for pre-positioning ahead of crisis rather than immediate disruption. (Dragos, 17 Feb 2026.)
6. IOC and detection pack
This edition deliberately references advisories rather than transcribing uncertain indicators, consistent with living-off-the-land tradecraft where IOCs are low-value. - Behavioural detections (preferred): anomalous use of native admin/remote-management tools on IT/OT boundary devices; credential reuse across zones; unexpected outbound from HMIs/RTUs. - Authoritative references: CISA advisory AA24-038A (Volt Typhoon, 7 Feb 2024) and the Dragos 2026 Year in Review (VOLTZITE/SYLVANITE/KAMACITE behaviours). - Vulnerability tracking: CVE-2025-2403 (Hitachi Energy Relion, DoS); CVE-2025-7405 / CVE-2025-7731 (Mitsubishi MELSEC iQ-F); CVE-2025-8453 (Schneider Saitel RTU) - validate against CISA's ICS advisory portal before action.
7. Recommended actions
- Board: Treat OT pre-positioning as a strategic continuity risk, not an IT-helpdesk item; fund IT/OT segmentation and GPS-timing resilience; confirm CISO appointment ahead of CEA regulation finalisation. - CISO: Map GNSS/PNT dependencies across telecom core and grid sync; ensure six-hour telecom reporting and CSIRT-Power readiness; commission threat hunts assuming no malware signature. - SOC: Alert on cross-zone protocol scans (Modbus/IEC-104/DNP3), unauthenticated RTU/relay access, and native-tool abuse on boundary devices; subscribe to CISA ICS and CERT-In/NCIIPC advisory streams.
8. Source index
- Dragos 2026 OT/ICS Year in Review (press release + Industrial Cyber / The Register), 17 Feb 2026. - Indian Infrastructure, "Centre begins discussions to streamline overlapping cyber compliance rules for telecom operators," 26 May 2026. - NextIAS, "Protecting India's Critical Digital Infrastructure," 27 May 2026. - BankInfoSecurity, "India's GPS Spoofing Sparks Calls for Aviation Resilience," 5 Dec 2025. - CISA / Industrial Cyber, ICS advisories (Mitsubishi MELSEC iQ-F, Schneider Saitel, Delta, GE Vernova, Hitachi Energy Relion), Aug-Sep 2025. - KSandK / SolarQuarter on CEA Cyber Security Regulations 2025, Dec 2025.
9. Byline
Nirad Threat Research Team, Nirad Threat Research. Source-attributed, India-first, human-validated. Indicators and advisories should be validated against the issuing authority before enforcement. - Pull latest threats to refresh the curated package.
