ICS Cybersecurity: UK Water Utility Cyberattacks; EU Power Grid Resilience; SD Data Center Wiring

According to information obtained from the UK's Drinking Water Inspectorate (DWI), drinking water suppliers have reported five cyberattacks since the beginning of 2024. In all, DWI has received 15 reports under Network and Information Systems (NIS) Regulations from suppliers since January 1, 2024. Of those, 10 were deemed not to be cyber-related; the other five were classified as "out-of-NIS-scope systems." Current NIS rules require formal reporting of cyber incidents that disrupt essential services; therefore, the detection of an intruder's presence on an IT system does not fall under the mandatory reporting guidelines. When the UK's Cyber Security and Resilience Bill is introduced in Parliament later this year, the high threshold for mandatory reporting is expected to be amended. Recorded Future News obtained the incident data from DWI under freedom of information laws.

The European Commission is focusing on improving power grid resilience, funding several projects including the eFORT framework, which is being developed by researchers at Netherlands Organisation for Applied Scientific Research (TNO) and the Delft University of Technology (TU Delft). According to the project's website, "eFORT will increase power system stability by developing technologies for identifying, preventing, and mitigating risks and vulnerabilities." TNO has also developed SOARCA, "an open-source tool that allows organisations to experiment with advanced technology to automatically repel cyber attacks, based on shareable security playbooks." The EU power grid is interconnected, with issues in one country easily leading to problems in others. For example, in April 2025, a series of cascading failures left Spain, Portugal, and parts of France without electricity, reminiscent of the 2015 Ukrainian power grid outage caused by a cyberattack. Additionally, power plant IT infrastructure is a unique assemblage of software, hardware, and operating systems from a variety of vendors who may be resistant to having cybersecurity professionals dig too deeply. In a separate, related story, power grid operators in the USD are increasingly being urged "to unify their cybersecurity and physical security strategies."

Last week, South Dakota's Bureau of Information and Telecommunications Commissioner, Mark Wixon, testified before the state legislature’s Government Operations and Audit Committee about an August 2025 disruption of South Dakota's state government IT infrastructure. The incident began during the replacement of an uninterruptible power supply at the South Dakota State Data Center. The device tripped the data center's main breaker several times, ultimately damaging the device and necessitating its replacement. However, some switches were mislabeled, leading electricians to believe they were connected to that main breaker when they were in fact connected to a different breaker. The South Dakota Searchlight writes that "the mislabeling ultimately led to the torching of a critical, $80,000 network traffic controller switch and its backup." And the Aberdeen Insider notes that "Unbeknownst to electricians, multiple breakers were drawing power from the same source, causing surges that destroyed other equipment — including industrial-grade router systems that supply the state network used by the Department of Public Safety’s motor vehicles division, the Department of Revenue’s tax portal, and labor office services."

Japan's Ministry of Economy, Trade and Industry has published Operational Technology (OT) security guidance for semiconductor manufacturers. The document states that because "[a] comprehensive framework for promoting security measures across the entire semiconductor industry has not yet been established in Japan ... it is urgent to present guidelines for factory security measures by taking into account the status of security measures being implemented within the domestic semiconductor industry and other relevant factors, while maintaining consistency with various security standards that have been established for the global semiconductor industry." The document references SEMI's E187 and E188 standards, which address incorporating security into the development phase of new semiconductor manufacturing equipment and extending security to existing semiconductor manufacturing equipment. The Japanese guidance also references the US National Institute of Standards and Technology's (NIST's) Cybersecurity Framework Version 2.0 Semiconductor Manufacturing Profile, which "identifies five primary business and mission objectives for the semiconductor manufacturing sector": maintain environmental safety; maintain human safety; maintain production goals; maintain semiconductor quality; and protect sensitive information.

The Australian Signals Directorate (ASD) has published an advisory warning that "Cyber actors are installing an implant dubbed ‘BADCANDY’ on Cisco IOS XE devices that are vulnerable to CVE-2023-20198." While BADCANDY itself does not maintain persistence following reboots, if threat actors have obtained account credentials or other forms of authentication, they can still have access to the affected device or network. Variations of the attack have been detected as far back as 2023. Cisco released a software update to address the critical (CVSS 10.0) vulnerability in 2023; the US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to the Known Exploited Vulnerabilities catalog on October 16, 2023, with a four-day mitigation window for Federal Civilian Executive Branch (FCEB) agencies.

A pair of vulnerabilities in the KT1 component of ITM/ITCAM Agents IBM Tivoli Monitoring could be exploited by "remote attacker to traverse directories on the system [through maliciously-crafted URLs and] view, overwrite, or append to arbitrary files on the system." There is not a patch for these issues. Instead, admins need to configure the agents "to use only TLS for communication." Nagios released Nagios XI version 2026R1 in late September 2025; the update includes fixes for three critical OS command injection vulnerabilities. CVE-2025-34134 affects in the Business Process Intelligence (BPI) component; "successful exploitation results in arbitrary command execution with the privileges of the Nagios XI web application user and can be leveraged to gain further control of the underlying host operating system." CVE-2025-34284 affects the WinRM plugin; "successful exploitation enables arbitrary command execution with the privileges of the Nagios XI web application user and can be leveraged to modify configuration, exfiltrate data, disrupt monitoring operations, or execute commands on the underlying host operating system." CVE-2025-34286 affects the Core Config Manager (CCM) Run Check command; "successful exploitation results in arbitrary command execution with the privileges of the Nagios XI web application user and can be leveraged to gain control of the underlying host operating system."

On Thursday, October 30, 2025, privacy-focused software company Proton AG launched the Data Breach Observatory, an online public catalog of major data breaches. Proton created the project in the interest of responsible transparency and awareness, citing risks to consumers and smaller businesses when inconsistent self-reporting means breaches may go undisclosed, hidden, or ignored. Constella Intelligence is collaborating with Proton on the Observatory, conducting research and near-real-time monitoring of the dark web for leaks. Eamonn Maguire, Proton's director of engineering, AI & ML, told The Register, "We're not simply republishing what criminals claim; we're applying validation layers before disclosure," stating that "a number of processes" will analyze and cross-reference findings; aggregated compilations will be passed over in favor of single-source information, and additional sources include "GDPR notifications, researchers, threat intelligence feeds, and journalistic investigations." So far, the Observatory has identified "794 breaches from identifiable sources, with more than 300 million records exposed," over 70 percent of which were small and medium-sized businesses, primarily in retail, technology, and media/entertainment sectors. 90 percent of breaches contained names and emails, 72 percent contained contact information, 49 percent contained passwords, and 24 percent contained IDs, health records, and other personally identifiable information (PII). Breaches in the Observatory are searchable by date, size, type and sensitivity of data, country, company, industry, and company size. Proton will "always inform [an] affected organization in advance of the information being published" to ensure organizations can protect themselves.

Denmark has withdrawn a bill that would have required service providers to scan all electronic communications, including those exchanged on end-to-end encrypted platforms, like WhatsApp. Dubbed Chat Control, the bill's stated goal was to reduce the trafficking of child abuse content. The European Commission introduced the bill in 2022. Denmark currently holds the Presidency of the Council of the European Union EU Council until the end of this calendar year. Denmark's Justice Minister says the country will support a voluntary measure for service providers to search for offending content. On October 8, Germany said it would not support the legislation. Poland and the Netherlands have also opposed the measure; France and Ireland support Chat Control.

Two former cybersecurity incident response professionals and an unnamed conspirator have been indicted by the US Department of Justice for conducting ransomware attacks against five US companies in 2023. Ryan Clifford Goldberg, a former incident response manager for Sygnia Cybersecurity Services, and Kevin Tyler Martin, a former ransomware threat negotiator for DigitalMint, are charged with conspiracy and interference with interstate commerce by extortion, and with intentional damage to protected computers. All three were employed at the time of the attacks but have since been terminated; while the unnamed "Co-Conspirator 1" is mentioned in the indictment and was also a DigitalMint ransomware negotiator, the filing only specifies charges for Goldberg and Martin. The trio attacked a medical device company in Florida, a pharmaceutical company in Maryland, a doctor's office and an engineering company in California, and a drone manufacturer in Virginia, all of which were engaged in interstate commerce. The conspirators deployed ALPHV BlackCat ransomware, extorting each organization for cryptocurrency in exchange for a decryption key and a promise not to publish stolen data. Only the medical device company paid the ransom, totaling approximately US$1,274,781.2 at the time. The conspiracy and extortion charges each carry a maximum sentence of 20 years in prison, and the intentional damage charge carries a maximum of 10 years; each charge carries up to US$250,000 in fines on top of forfeitures.