THE BLUF

You have 30 days until the June 30, 2026 AWIA deadline. One month. If your Emergency Response Plan (serving 50,000–99,999) or your Risk and Resilience Assessment recertification (serving 3,301–49,999) is not in final review right now, you are in serious trouble. There is no extension. There is no waiver. This week brought two items that demand your attention: a new GAO report calling out persistent, unaddressed cybersecurity threats to the water and wastewater sector, and a WaterISAC vulnerability notification for a critical actively exploited Fortinet EMS flaw. Meanwhile, CISA added five new vulnerabilities to its Known Exploited Vulnerabilities catalog in the past seven days — including a Palo Alto Networks PAN-OS authentication bypass and multiple supply chain compromises. If your utility runs PAN-OS firewalls at the network edge, you need to be patching today, not next sprint. The supply chain compromises in Nx Console and Daemon Tools Lite are a reminder that software you trust can be weaponized before it reaches your environment. Verify your software supply chain hygiene now.

THREAT INTELLIGENCE

NEW — WaterISAC: Critical Fortinet EMS Vulnerability Actively Exploited (CVE-2026-35616)
Published May 29, 2026. WaterISAC posted a TLP:CLEAR vulnerability notification for a critical vulnerability in Fortinet Endpoint Management Server (EMS) that is being actively exploited in the wild. If your utility uses Fortinet EMS to manage endpoint agents on SCADA workstations, engineering laptops, or any OT-adjacent systems, this is a priority-one patch action. Fortinet EMS is commonly deployed in water utility environments for centralized endpoint visibility. An exploited EMS server gives an attacker a direct path to push malicious configurations to every managed endpoint.

Operator actions:

  • Determine immediately whether Fortinet EMS is deployed anywhere in your IT or OT environment.

  • If present, coordinate with your Fortinet vendor or managed security provider for patch availability and apply it under emergency change control.

  • Review EMS logs for anomalous administrative access, unexpected policy pushes, or connections from unfamiliar IP addresses.

NEW — WaterISAC: GAO Report on Water Sector Cybersecurity Gaps
Published May 28, 2026. WaterISAC posted a TLP:CLEAR summary of a new Government Accountability Office (GAO) report that identifies persistent, unresolved cybersecurity threats to water and wastewater systems and calls for additional federal action. While the GAO report itself is a policy document, its publication signals that congressional oversight of water sector cyber readiness is intensifying. Executives should be prepared: this report may drive new regulatory requirements or more aggressive EPA enforcement postures in the near term.

NEW — WaterISAC: FBI Alerts on Credential Theft and Ransomware Techniques
Published May 28, 2026. WaterISAC posted a TLP:CLEAR summary of multiple FBI alerts covering evolving credential theft campaigns and ransomware intrusion techniques. These are not water-sector-specific, but credential theft remains the number one initial access vector in water utility compromises. If your operators are reusing passwords across IT and OT systems, or if you lack multi-factor authentication on remote access portals, VPNs, or HMI web interfaces, you are exposed.

Operator actions:

  • Audit all remote access accounts for password reuse and enforce MFA on every remote access pathway — no exceptions.

  • Brief operations staff on current credential phishing techniques. If you cannot produce evidence of a phishing awareness session within the last 90 days, schedule one this week.

NEW — CISA: Supply Chain Compromise in Nx Console and GitHub Repositories
Published May 28, 2026. CISA issued an alert on supply chain compromises affecting Nx Console and associated GitHub repositories. This is a software development tool compromise — if your SCADA integrator, system vendor, or internal development team uses Nx Console for any code management related to your OT environment, you need to verify the integrity of all recent builds and deployments immediately.

​🔒 PREMIUM TIER BOUNDARY
In our standard free dispatch, the briefing concludes here. The following section—The Compliance Log—and all subsequent strategic intelligence is strictly reserved for our Premium Subscribers, unlocked for this inaugural edition only.

THE AUDIT-READY COMPLIANCE LOG

CISA Known Exploited Vulnerabilities (KEV) Additions — Past 7 Days:

The following vulnerabilities were added to the CISA KEV catalog between May 26–29, 2026. Federal agencies are required to remediate per BOD 22-01 timelines. All water utilities should treat KEV entries as priority patches regardless of FCEB status.

  • May 29, 2026 — CVE-2026-0257: Palo Alto Networks PAN-OS Authentication Bypass Vulnerability. HIGH PRIORITY FOR WATER UTILITIES. PAN-OS firewalls are widely deployed as perimeter devices protecting SCADA networks. An authentication bypass on your edge firewall is a direct path into your OT environment. Patch immediately. If you cannot patch, implement compensating controls: restrict management interface access to trusted IPs only, disable internet-facing management access, and monitor firewall logs for unauthorized administrative sessions.

  • May 27, 2026 — CVE-2026-48027: Nx Console Embedded Malicious Code Vulnerability. Supply chain compromise. Verify whether any integrators or developers in your environment use this tool.

  • May 27, 2026 — CVE-2026-45321: TanStack Unspecified Vulnerability. Assess whether TanStack libraries are present in any web-based HMI dashboards or utility customer portals.

  • May 27, 2026 — CVE-2026-8398: Daemon Tools Lite Embedded Malicious Code Vulnerability. Another supply chain compromise. If Daemon Tools is installed on any workstation in your environment — particularly OT engineering workstations — quarantine and investigate immediately.

  • May 26, 2026 — CVE-2026-48172: LiteSpeed cPanel Plugin Privilege Escalation Vulnerability. Relevant if your utility hosts any web infrastructure on cPanel-managed servers.

Standing Compliance Deadlines — Non-Negotiable:

  • June 30, 2026 — AWIA Tier 1 (Population 50,000–99,999): Updated Emergency Response Plans must be certified to EPA. 30 days remaining.

  • June 30, 2026 — AWIA Tier 2 (Population 3,301–49,999): Recertified Risk and Resilience Assessments must be certified to EPA. Updated ERPs for this tier are due December 31, 2026.

  • CIRCIA reporting obligations remain active: Any covered entity that "reasonably believes" a qualifying cyber incident has occurred must report within 72 hours. Ransomware payments must be reported within 24 hours.

Operator action: If you have not yet registered with EPA's cybersecurity programs, registration requires formal webform submission through EPA's Cybersecurity for the Water Sector page. This is not a phone call — it is a structured online process. Do not wait.

THE ACTION PLAN

Immediate Patch Action — PAN-OS (CVE-2026-0257):

☐ Identify all Palo Alto Networks PAN-OS devices in your IT and OT environments within 24 hours.
☐ Verify whether management interfaces are exposed to the internet. If yes, disable internet-facing management access immediately as a compensating control.
☐ Apply the vendor patch under emergency change control. Do not wait for your next scheduled maintenance window.
☐ Review PAN-OS authentication logs for the past 30 days for anomalous admin logins, unfamiliar source IPs, or failed authentication spikes.

Fortinet EMS (CVE-2026-35616):

☐ Determine whether Fortinet EMS is deployed in your environment, including by managed security service providers.
☐ If deployed, coordinate with your Fortinet vendor for immediate patch application.
☐ Review EMS audit logs for unauthorized configuration changes or unexpected endpoint policy deployments.

AWIA 30-Day Sprint:

☐ Confirm your ERP or RRA certification package is in final internal review. If it is not, escalate to the utility director today.
☐ Verify you have current login credentials for EPA's certification webform. Do a test login this week — do not discover on June 29 that your credentials are locked.
☐ Ensure your ERP reflects current cyber threats, including the credential theft and ransomware techniques flagged by the FBI this week. An ERP that does not address ransomware scenarios will not withstand scrutiny.

Supply Chain Hygiene:

☐ Contact your primary SCADA integrator and ask whether they use Nx Console, TanStack, or Daemon Tools in any part of their development or deployment workflow. Document the response.
☐ Review all software installed on OT engineering workstations. If Daemon Tools Lite is present, quarantine the workstation and investigate for indicators of compromise.

TABLETOP EXERCISE — 5 Minutes:

Your lead operator receives a call from your managed firewall provider at 0630 on a Monday morning. They report that the PAN-OS management interface on your primary SCADA perimeter firewall was accessed by an unrecognized IP address overnight, and a new admin account was created. Your SCADA network is on the other side of that firewall. You have no secondary firewall, and your HMI workstations have been operating normally — no alarms, no process deviations.

☐ Do you isolate the SCADA network immediately by pulling the firewall offline, knowing this will blind your operators to remote site telemetry? Or do you leave connectivity up while you investigate?
☐ At what point does this event trigger your CIRCIA 72-hour reporting obligation — when the firewall provider calls you, or when your own team confirms malicious activity? Who in your organization makes that "reasonably believes" determination?
☐ Your ERP says to "contact IT support" for cyber incidents. IT support is a single person who is on vacation. What is your backup contact chain, and is it documented and current?
☐ The unauthorized admin account has been active for 11 hours. What lateral movement could an attacker have accomplished in that time given your current network segmentation — or lack of it?
☐ If your investigation reveals that the attacker pivoted from the firewall into your OT network and modified chlorine dosing setpoints by 0.2 mg/L — not enough to trigger a process alarm but enough to affect compliance over time — how would you detect that? When would you detect it?

Hold the line,

Jeff Farrell
Critical Infrastructure Intelligence Analyst
Reinforcefy | The CIP Briefing

Keep Reading

The CIP Briefing


Connect with the Analyst on LinkedIn:



Disclaimer: The intelligence provided in The CIP Briefing by Reinforcefy LLC is for informational and educational purposes only. It does not constitute formal engineering, legal, or regulatory compliance advice. While this briefing translates federal mandates and threat intelligence into actionable strategies, every utility environment is unique. Facility operators and management are solely responsible for verifying the applicability of this intelligence and executing proper internal change-management protocols before implementing any network configurations, patches, or physical security modifications. Always consult with your internal engineering team, IT department, and legal counsel.


© 2026 Reinforcefy | The CIP Briefing - Water Sector Threat Intelligence.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv