Cyberattacks on Critical Infrastructure Double in Q1 2026

Critical Infrastructure Under Siege

Industrial cybersecurity firms Dragos and Mandiant have published their Q1 2026 threat reports revealing a 112% year-over-year increase in cyberattacks targeting critical infrastructure sectors. The reports identify energy, water treatment, and transportation as the most targeted industries.

The surge is attributed to a combination of escalating geopolitical tensions, the proliferation of OT-specific malware frameworks, and the expanding attack surface created by IT/OT convergence initiatives.

Attack Landscape

Incidents by Sector

Attack Types

Notable Threat Groups

VOLTZITE (China-Nexus)

Dragos identified continued operations by VOLTZITE, a threat group linked to Chinese intelligence services. The group has been observed:

• Pre-positioning access in US electric utility networks
• Targeting GIS systems and grid topology databases
• Using living-off-the-land techniques to avoid detection
• Maintaining persistent access for potential future disruption

KAMACITE (Russia-Nexus)

The KAMACITE group has expanded operations beyond Ukraine, targeting:

• European natural gas pipeline operators
• North American electrical substations
• Water treatment SCADA systems in NATO member countries

FrostyGoop / BUSTLEBERM

The FrostyGoop malware framework, first seen targeting Ukrainian heating systems in late 2025, has been adapted for broader OT environments:

• New modules targeting Modbus TCP and OPC UA protocols
• Capability to manipulate setpoints on PLCs
• Deployed against water treatment facilities in multiple countries

Key Findings

IT/OT Convergence Expands Attack Surface

• 72% of incidents involved initial compromise of IT systems before pivoting to OT
• 48% of targeted organizations had flat networks between IT and OT segments
• 31% lacked any OT-specific monitoring or detection capabilities

Water Sector Most Vulnerable

The water and wastewater sector showed the steepest increase in attacks (+143%), attributed to:

• Chronic underfunding of cybersecurity programs
• Heavy reliance on remote access for distributed facilities
• Legacy SCADA systems running unsupported operating systems
• Limited staff with OT cybersecurity expertise

CISA noted that many small water utilities serving communities under 50,000 people have zero dedicated cybersecurity staff.

CISA Response

CISA has announced several emergency measures:

1. Free OT assessments for water and energy utilities under 100,000 customers
2. Updated ICS advisories for Modbus, OPC UA, and DNP3 protocol vulnerabilities
3. Mandatory reporting for critical infrastructure cyber incidents (CIRCIA enforcement begins March 2026)
4. Joint exercises with sector-specific ISACs throughout Q2 2026

Recommendations for OT/ICS Operators

Immediate Actions

1. Segment IT and OT networks — Implement DMZ architecture between corporate and operational networks
2. Disable unnecessary remote access — Audit and restrict all external OT connectivity
3. Deploy OT-specific monitoring — Solutions like Dragos Platform, Claroty, or Nozomi Networks
4. Patch known exploited vulnerabilities — Reference CISA KEV catalog for ICS-specific entries

Strategic Initiatives

5. Implement IEC 62443 security standards for industrial automation
6. Conduct OT threat hunting — Look for living-off-the-land techniques in OT environments
7. Establish OT incident response plans — Include manual operations procedures for cyber events
8. Join sector ISACs — Share threat intelligence with peers (WaterISAC, E-ISAC)

Resources

• Dragos 2026 OT Cybersecurity Year in Review
• CISA ICS-CERT Advisories
• NIST SP 800-82 Rev 3 — Guide to OT Security
• IEC 62443 Standards Overview

Related Reading

• DKnife: China-Linked AitM Framework Hijacks Router Traffic
• Shadow Campaigns: State-Backed Espionage Group Breaches 70+
• CISA Loses 62% of Workforce as DHS Shutdown Guts America