Critical Infrastructure Sector Edition · July 2026
Critical Infrastructure Sector Edition — July 2026
Nirad Threat Research · 7 min read
Nation-state adversaries targeting operational technology have moved from reconnaissance to active pre-positioning. Waterfall Security's 2026 OT Threat Report documents cyber incidents with physical consequences doubling from seven in 2024 to fourteen in 2025, driven by state and hacktivist actors. Dragos corroborates: 119 ransomware groups targeted 3,300 industrial organisations in 2025 — a 64% year-on-year rise — and three newly tracked groups now explicitly target engineering workstations rather than IT perimeters. For India's power utilities, petroleum operators, and telecom carriers, the primary entry point this cycle is the IT-OT boundary device: SD-WAN controllers, VPN gateways, and firewall management planes where multiple actively-exploited vulnerabilities now sit.
1. Sector snapshot
2. Threats targeting Critical Infrastructure
1CriticalCVSS 10.0
Cisco Catalyst SD-WAN CVE-2026-20182 (CVSS 10.0) — WAN fabric takeover
An authentication bypass in the vdaemon DTLS service on UDP 12346 lets an unauthenticated attacker gain administrative access to Cisco Catalyst SD-WAN Controller and Manager, then open NETCONF to reconfigure the entire overlay. Cisco Talos tracks active exploitation under UAT-8616, a highly sophisticated actor with ORB-network infrastructure overlap. Confirmed post-exploitation: SSH key injection, fabric reconfiguration, root escalation via version-downgrade (CVE-2022-20775), and forensic log erasure.
India exposurestate electricity boards, petroleum pipeline operators, and NCIIPC-designated telecom carriers running Cisco Catalyst SD-WAN.
Actionpatch immediately; deploy anomaly detection on DTLS/UDP 12346 and NETCONF; hunt SSH key additions and version downgrades since March 2026.
SourceCisco Talos; Help Net Security (15 May 2026); CISA KEV (May 2026).
2
FortiBleed — 75,000–86,000 FortiGate credentials circulated, India among most-affected
Working admin credentials for internet-facing FortiGate and SSL-VPN devices across 194 countries were extracted and publicly circulated; India is documented among the most-affected nations, with critical infrastructure named among exposed sectors. Contributing flaw: CVE-2026-24858 (FortiOS FortiCloud SSO bypass).
India exposurepower utilities, petroleum operators, and government telecom providers running FortiGate for branch connectivity and remote management.
Actiontreat all Fortinet VPN and admin credentials as compromised — rotate immediately, enforce phishing-resistant MFA, restrict management access, and audit for rogue accounts.
An authentication bypass in PAN-OS GlobalProtect portal and gateway components allows unauthorised VPN sessions without credentials; active exploitation confirmed from 17 May 2026 across multiple customer environments.
India exposurepower-sector substations, government data centres, and telecom peering facilities using GlobalProtect as the remote-access perimeter.
Actionpatch immediately per CISA KEV order; hunt for unauthenticated VPN sessions since mid-May 2026.
SourceUnit 42/Palo Alto Networks; Rapid7; CISA KEV (29 May 2026).
4
Oil and gas ransomware: 935% year-on-year surge, OT physical-consequence risk
Zscaler's ThreatLabz 2025 Ransomware Report documents a 935% YoY increase in attacks against oil and gas, driven by automation of rigs, pipelines, and terminal systems expanding the OT attack surface. Events reaching a DCS or safety instrumented system carry physical and environmental consequences beyond data loss.
India exposureOT-dependent operations across refineries, pipelines, and offshore platforms; third-party IT-OT integration is a common ransomware escalation path.
Actionsegment IT from OT at all boundary points; tabletop a ransomware-to-OT escalation scenario with manual-operations fallback included.
SourceZscaler ThreatLabz; Cybersecurity Dive (Jul 2025); Dragos (17 Feb 2026).
3. Sector tech & exposures
- ICS vulnerability record: Forescout documented 508 ICS advisories in 2025 — first year above 500 — with 82% rated high or critical and average CVSS above 8.0. Level 1 (PLCs, RTUs, IEDs) and Level 2 (SCADA, DCS, BMS) are most-affected. Critical gap: only 22% of high/critical ICS CVEs carried a CISA advisory. New high-risk OT device classes flagged: PDUs, I/O modules, BACnet routers. - India-targeted APT: Seqrite's India Cyber Threat Report 2026 documents a Pakistan-nexus campaign (APT36/SideCopy) using MSI-packaged malware, DLL sideloading, and open-source RATs — Xeno RAT, Spark RAT, CurlBack RAT — targeting India's CI and defence sector; 265 million detections in Oct 2024–Sep 2025. - AI-accelerated exploitation: CERT-In advisory CIAD-2026-0020 (Apr 2026) warns that frontier AI now enables autonomous vulnerability discovery and exploit generation within hours of disclosure — a window most OT maintenance schedules cannot match.
4. Regulatory & compliance watch
- CERT-In CIAD-2026-0020 (high severity, 26 Apr 2026): Mandates 24-hour critical patch cycle for internet-facing CI systems; continuous monitoring, Zero Trust, MFA, and hard IT-OT segmentation required. An emergency-patch track separate from regular maintenance windows is now a regulatory expectation for designated CI operators. - NCIIPC: CII protection framework requires nominated CISOs and registered asset inventories across power, telecom, transport, and strategic enterprises; over 9,700 CERT-In audits were conducted in FY2024-25, signalling intensifying supervisory scrutiny. - CERT-In incident reporting: Mandatory 6-hour notification for CI operators should be reviewed against the hours-scale exploitation windows documented in CIAD-2026-0020; SOC runbooks must be validated at this interval.
5. Actor in focus
UAT-8616 — Cisco Talos designation; confidence HIGH on TTP set; MEDIUM on nation-state attribution. UAT-8616 has targeted Cisco Catalyst SD-WAN infrastructure since at least 2023, with exploitation tempo markedly increasing in May 2026. The attack chain is consistent: DTLS exploitation on UDP 12346, NETCONF fabric manipulation, SSH key persistence, root escalation via version-downgrade (CVE-2022-20775), firmware restoration to conceal the attack path, and systematic log erasure. Infrastructure overlap with ORB networks is consistent with state-level resources, though formal attribution has not been published. Compromise of an Indian state electricity board's or major telecom carrier's SD-WAN fabric would grant adversary-controlled routing and policy across geographically distributed CI sites.
Source (with date): Cisco Talos; Help Net Security (15 May 2026); Tenable; CISA KEV (May 2026).
6. IOC pack
Only public, attributed indicators; pull exact values from primary advisories and defang before operational use.
- CVE-2026-20182 (Cisco SD-WAN): Anomalous DTLS/UDP 12346 traffic; unexpected NETCONF sessions; SSH key additions outside provisioning records; unexplained version downgrades; cleared syslog, wtmp, lastlog, bash_history. (Cisco Talos advisory.) - CVE-2026-0257 (PAN-OS): Attacker IPs and file hashes in Unit 42 and Rapid7 advisories; alert on unauthenticated GlobalProtect session initiations. - FortiBleed / CVE-2026-24858: Indicators in CISA alert and Arctic Wolf advisory; detect cross-device FortiOS SSO login anomalies not matching provisioning records. - Seqrite APT RAT cluster: Defanged IOCs in Seqrite blog "Goodbye HTA, Hello MSI" (Jan 2026); detect behaviourally via MSI-spawned DLL-sideloading chains and PowerShell reflective-load patterns.
7. Recommended actions
Board: Treat edge-device and OT-network exposure as enterprise risk equal to physical security; confirm NCIIPC CISO designations and commission an emergency estate review of Cisco SD-WAN, Fortinet, and PAN-OS deployments against CVE-2026-20182, CVE-2026-24858, and CVE-2026-0257 this quarter.
CISO: Emergency-patch CVE-2026-20182 (CVSS 10.0) and CVE-2026-0257; rotate all Fortinet and Cisco SD-WAN admin and VPN credentials immediately; deploy DTLS/UDP 12346 and NETCONF anomaly detection; inventory ICS Level 1 and Level 2 devices with a vendor-co-ordinated emergency-patch track for critical OT CVEs; apply CERT-In CIAD-2026-0020 requirements: 24-hour patch cycle and hard IT-OT segmentation.
SOC: Hunt for SD-WAN version downgrades, NETCONF changes, SSH key additions, and cleared logs (wtmp, lastlog, bash_history, cli-history) since March 2026; alert on unauthenticated GlobalProtect sessions and cross-device FortiOS SSO anomalies; monitor MSI-to-DLL-sideloading chains consistent with Seqrite APT TTPs; run a ransomware-to-OT escalation tabletop for at least one oil, gas, or power facility.
8. Source index
Cisco Talos, CVE-2026-20182 / UAT-8616 (May 2026) · Help Net Security (15 May 2026) · CISA KEV (May 2026; 29 May 2026) · Tenable · CISA, FortiBleed alert (18 Jun 2026) · Arctic Wolf (Jun 2026) · CSA Labs (20 Jun 2026) · Unit 42/Palo Alto Networks, CVE-2026-0257 · Rapid7, CVE-2026-0257 · Zscaler ThreatLabz 2025 Ransomware Report (Jul 2025) · Dragos 2026 OT Year in Review (17 Feb 2026) · Waterfall Security 2026 OT Threat Report · Seqrite India Cyber Threat Report 2026 (Jan 2026) · Forescout (Feb 2026) · IT Security Guru (19 Feb 2026) · CERT-In CIAD-2026-0020 (26 Apr 2026) · Qualys blog (24 Jun 2026) · PIB, Government of India (2026).