Federal Alert Confirms Security Firm's Dire Warning on Infrastructure

IRVING, TX – April 22, 2026 – A stark federal advisory issued this month has confirmed what one cybersecurity firm warned of just two months prior: a simple, widely known security flaw is being actively exploited by foreign adversaries to attack America’s critical infrastructure. The vulnerability lies in how industrial facilities grant remote access to outside vendors, a gap that attackers have turned into an open door to sensitive operational technology (OT) systems.

On April 7, a coalition of six U.S. government agencies, including the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, released a joint advisory detailing ongoing cyber-attacks against U.S. critical infrastructure that began in at least March 2026. The alert, "Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers," describes a campaign causing operational disruptions in sectors like water, wastewater, and energy. The entry method was alarmingly straightforward: attackers connected to internet-exposed industrial controllers using the manufacturer's own software, facing no barriers to entry.

This federal confirmation landed just weeks after cybersecurity firm Tosi published its "2026 State of OT Security Report." The independent study, released in February, had already identified vendor remote access as the single weakest security capability across every industry it surveyed.

An Early Warning Sounded Months Before

Tosi's report, which benchmarked 77 large U.S. enterprises, painted a troubling picture of industrial security practices long before the federal government raised the alarm. The research found that vendor remote access was the lowest-scoring capability, indicating a systemic failure to secure the digital supply chain.

The most alarming data point came from the manufacturing sector, one of the industries named in the federal advisory. In Tosi's study, manufacturing scored a dismal 1.67 out of 5 on the security of vendor access to plant floor systems—the lowest score for any single question in the entire dataset. This suggests a widespread reliance on insecure methods like open ports or shared credentials with no individual accountability.

The parallel between the firm's research and the government's findings was not lost on its leadership. "The actors connected to internet-facing industrial controllers the same way a legitimate vendor would, because there was nothing in place to tell the difference," said Sakari Suhonen, CEO of Tosi U.S., in a statement. "The advisory confirmed that attacks on critical infrastructure were already underway in March. Our research, conducted independently in February, found the same structural gap. Two separate efforts, looking at the same problem, reaching the same conclusion."

The federal advisory attributes the malicious activity to Iranian-affiliated advanced persistent threat (APT) actors. These groups have reportedly exploited vulnerabilities in devices like Rockwell Automation's programmable logic controllers (PLCs), using common remote access tools and overseas-based infrastructure to gain control, manipulate data on operator displays, and cause significant disruption.

Beyond Tools: Why a 'Known Gap' Remains Open

The vulnerability at the heart of these attacks is not a sophisticated, unknown "zero-day" exploit. Instead, experts and the report itself describe it as a "known gap" that organizations have failed to close, highlighting a critical disconnect between possessing security tools and actually enforcing security controls.

"The organizations at the top of our maturity scale have one thing in common: they have turned deployed tools into enforced controls," Suhonen noted. "What the advisory describes is not a novel threat. It is a known gap that has not been closed."

This gap is exacerbated by poor operational hygiene. Tosi’s report revealed that one in three U.S. organizations takes hours or even longer to revoke a vendor's system access after a job is complete. Worse, one in eight takes days or weeks, leaving a wide window of opportunity for an attacker to use compromised but still-valid credentials. This lingering access turns a temporary necessity into a persistent and dangerous vulnerability.

The report also suggests that the United States may be falling behind its international peers in this specific area. Remote access was the only capability measured where the U.S. (scoring 6.47 out of 10) trailed European respondents (6.62 out of 10), indicating a more mature approach to managing third-party risk across the Atlantic.

Securing the Front Door to Critical Systems

In response to the active threats, the federal advisory’s primary recommendation is for organizations to immediately remove industrial controllers from direct exposure to the public internet. The agencies urge the use of secure gateways and firewalls to create a buffer zone, effectively isolating sensitive OT assets. This approach, often part of a "Zero Trust" security model, ensures that no device is ever directly reachable and every access attempt is scrutinized.

This is precisely the function for which platforms like Tosi's are designed. The company's gateways are purpose-built to sit between the public internet and the plant floor, creating a secure perimeter. This architecture ensures that vendors and remote staff can still perform necessary maintenance without exposing the entire control system to online threats.

Proactive municipalities are already adopting this model. The City of Sandusky, Ohio, which operates a municipal water and wastewater utility, has implemented the Tosi platform to protect its vital networks.

"Tosi allows the City of Sandusky to keep our wastewater and drinking water networks securely isolated while still allowing for quick support from vendors and remote staff when needed," said Matthew DeVries, the city's IT Manager. This implementation demonstrates a practical application of the principles now being urgently recommended by federal agencies.

As nation-state actors increasingly target the physical world through cyber means, the line between digital security and public safety is blurring. The convergence of Tosi's predictive research and the stark reality of the federal alert sends a clear message: the time to address the known, gaping holes in industrial security is now, before the next disruption affects essential services that millions of Americans rely on every day.