December 8, 2025

Synopsis

The analysis indicates that unidentified external actors are actively exploiting two long-known OpenPLC ScadaBR web vulnerabilities to gain code execution on SCADA/HMI servers, potentially manipulating industrial processes and using compromised interfaces as pivot points into broader OT and IT networks. Strategically, this forces organizations and boards to treat KEV-listed OT vulnerabilities as enterprise risk, prioritizing ICS patching, segmentation, and KEV-driven governance in risk registers and capital plans. Operationally, security, engineering, and operations teams must adjust monitoring, incident response, change management, and vendor access processes around ScadaBR and similar platforms, while tactically updating detections, hunts, and playbooks to focus on exploitation of specific endpoints, webshell deployment, and abnormal HMI activity. The described threat and FAIR estimates imply a non-trivial likelihood of at least annual loss events for unremediated, exposed instances and moderate susceptibility where patching and segmentation lag, meaning current risk posture for many ICS adopters is only moderate at best and potentially much weaker in poorly governed environments. Financial resilience is stressed by the potential for repeated response costs, downtime, and secondary regulatory or reputational losses that can scale from tens of thousands to several million dollars per severe incident, making proactive remediation, architecture hardening, and scenario-based planning materially cheaper and more sustainable than absorbing recurring KEV-driven OT compromises.

Evaluated Source, Context, and Claim

Artifact Title

CISA Adds One Known Exploited Vulnerability to Catalog

https://www.cisa.gov/news-events/alerts/2025/11/28/cisa-adds-one-known-exploited-vulnerability-catalog

CVE-2021-26829

https://www.cve.org/CVERecord?id=CVE-2021-26829

CISA Adds One Known Exploited Vulnerability to Catalog

https://www.cisa.gov/news-events/alerts/2025/12/03/cisa-adds-one-known-exploited-vulnerability-catalog

CVE-2021-26828

https://www.cve.org/CVERecord?id=CVE-2021-26828

Source Type

U.S. government cybersecurity web alert (CISA KEV catalog update)

Publication Date: November 28 through December 3, 2025

Credibility Assessment

CISA and MITRE/NVD are authoritative, primary sources for U.S. government vulnerability and CVE records, and multiple independent references reproduce the same technical details for these flaws. There is no indication in the provided material of conflicting or disputed information.

General Claim

CISA reports that two long-known OpenPLC ScadaBR web vulnerabilities (stored XSS and authenticated arbitrary file upload) are now being actively exploited and must be urgently remediated by federal and other organizations using the software.

Narrative Reconstruction

The information describes an unidentified set of malicious cyber actors actively exploiting two older web application vulnerabilities in OpenPLC ScadaBR, an industrial control/HMI platform, including a stored cross-site scripting flaw and an unrestricted file upload issue that allows authenticated users to upload and execute arbitrary JSP files via exposed configuration pages. The actors likely follow a kill-chain-like flow in which they first identify internet-exposed or otherwise reachable ScadaBR instances, then leverage these web flaws to gain code execution on the application tier, using the compromised interface as a foothold into industrial or operational networks. The primary assets at risk are the ScadaBR application servers, associated HMIs, and linked control or monitoring systems, where these systems are poorly segmented, broader OT and supporting IT assets may also be exposed. The operational goal of such activity is plausibly to gain persistent access and control over SCADA/HMI environments for purposes such as unauthorized command execution, process manipulation, or staging further disruptive or espionage-focused operations, with CISA emphasizing that these vulnerabilities pose significant risk to the federal enterprise and should be remediated as a priority.

Risk Scenario

Risk Scenario

A malicious external cyber actor exploits known OpenPLC ScadaBR web vulnerabilities (stored XSS and authenticated arbitrary JSP upload) against an organization’s exposed or reachable SCADA/HMI web interface, resulting in unauthorized code execution on the ScadaBR server, potential manipulation or disruption of monitored industrial processes, and associated recovery, regulatory, and reputational losses.

Threat

External malicious cyber actors (which may include criminal, opportunistic, or ideologically motivated groups) that actively scan for and exploit known vulnerabilities listed in CISA’s KEV catalog, including the OpenPLC ScadaBR CVEs.

Method

The threat exploits stored XSS in system_settings.shtm and an unrestricted upload flaw that allows remote, authenticated users to upload and execute arbitrary JSP files via view_edit.shtm, using these web application weaknesses as entry points to run attacker-controlled code on the SCADA application server.

Asset

The primary asset is the organization’s OpenPLC ScadaBR deployment (application server, configuration pages, and HMIs) and any connected industrial control systems whose state or commands are administered through that environment; secondarily, the supporting IT infrastructure hosting or integrating with ScadaBR is also at risk.

Impact

Successful exploitation may enable unauthorized execution of code or scripts in the SCADA environment, leading to loss of integrity or availability of monitoring and control functions, potential safety or compliance issues depending on the industrial process, and financial losses from incident response, remediation, operational downtime, and possible regulatory or contractual consequences.

Evidentiary Basis for Synopsis and Recommendations

Supporting observations from the analysis help clarify how the threat landscape, control environment, and organizational behaviors interact to shape overall risk exposure. These insights provide the foundation for identifying where controls perform well, where gaps or weaknesses create unnecessary vulnerability, and how attacker methods intersect with real-world operational conditions. Building on these findings, the recommendations that follow focus on strengthening resilience, improving decision-making, and guiding readers toward practical steps that enhance both security posture and risk-informed governance.

FAIR Breakdown

Threat Event Frequency (TEF)

Because the OSINT describes the active exploitation of long-standing, widely known vulnerabilities that are now in CISA’s KEV catalog, TEF must be inferred from the attacker's interest in ICS/SCADA web applications, the software's prevalence, and historical patterns of KEV targeting. For a single organization running exposed or poorly segmented OpenPLC ScadaBR, TEF is likely low-to-moderate (on the order of a couple of distinct exploit attempts per year) driven by broad scanning and periodic targeted campaigns.

Contact Frequency (CF)

Attackers can use automated scanners and search engines to discover vulnerable ScadaBR instances, so CF is influenced by whether the interface is internet-exposed or reachable from less-trusted networks. For organizations with exposed or semi-exposed deployments, CF is reasonably estimated as moderate, with scanning or exploitation attempts likely to occur multiple times per year as part of routine KEV-focused campaigns against public-facing ICS/SCADA web applications.

Probably of Action (PoA)

CISA’s inclusion of these CVEs in KEV, based on evidence of active exploitation, indicates that attackers are already exploiting discovered opportunities, not merely scanning. Given the age of the vulnerabilities, the availability of technical details, and CISA’s description of such issues as frequent attack vectors, PoA is best assessed as high once a vulnerable, reachable instance is identified.

Threat Capability (TCap)

TCap is moderate-to-high, as exploiting these issues requires the ability to find vulnerable ScadaBR instances, understand and execute web-based exploits, and, for the file upload flaw, obtain or abuse authenticated access.

Exploit sophistication: The stored XSS and unrestricted file upload flaws are conceptually straightforward but still require familiarity with HTTP requests, server-side JSP behavior, and crafting payloads, indicating at least intermediate web exploitation skill.

Bypass ability: The malware uses LaunchAgents for persistence, password harvesting, and decoy prompts, indicating an ability to bypass user awareness and potentially some endpoint controls.

Tooling maturity: The age and public documentation of the CVEs mean ready-made exploit proofs-of-concept or scripts are likely available, allowing even less sophisticated actors to reuse tooling.

Campaign success rate: For organizations that have not patched or mitigated these issues and exposed ScadaBR to untrusted networks, the success rate per contact is plausibly moderate, limited mainly by how many targets still run affected versions and how often attackers can gain authenticated access.

Attack path sophistication: The path from scanning to exploiting a specific web endpoint and then executing arbitrary JSP code on a SCADA server is linear but powerful, enabling follow-on activity within OT or supporting IT networks.

Cost to run attack: Once tooling and infrastructure exist, incremental cost is low, as attackers can reuse scripts across many targets, making these flaws attractive for opportunistic campaigns.

Control Strength (CS)

Typical environments using ICS/SCADA solutions often have mixed control maturity, particularly around patching and segmentation of OT web interfaces. Overall, CS is likely moderate at best for many organizations unless they have substantial KEV-driven remediation and ICS-specific hardening programs.

Resistive Strength (RS) Effectiveness of preventive/detective controls:

Overall, the RS is likely low-to-moderate for organizations still running affected versions in exposed or semi-exposed positions.

• Organizations that closely track CISA KEV updates, maintain timely patching, and restrict external access to SCADA web interfaces can significantly reduce risk. Still, many OT environments lag in patch deployment and network segmentation.

• Web application firewalls, input validation, and hardening of upload functions can block some exploit attempts, but the underlying vulnerabilities indicate that existing preventive controls in affected versions are insufficient.

Control Failure Rate

Control failures are inferred to be moderate-to-high, given that unpatched ScadaBR versions remain in use despite long-standing public CVE disclosures and CISA’s KEV listing.

• Delayed remediation of known CVEs despite BOD 22-01 and CISA guidance indicates gaps in vulnerability management and ICS patch governance.

• Exposure of administrative or configuration pages to less-trusted networks suggests weaknesses in network segmentation and access control design.

• Logging and monitoring specific to OT web applications may be limited, reducing the chance of quickly detecting exploitation of these flaws.

Susceptibility

Given moderate-to-high attacker capability and only moderate control strength in many ICS environments, overall susceptibility for an organization that uses affected ScadaBR versions and has some degree of external or cross-network exposure is estimated at approximately 50–65 percent.

Probability the asset will be harmed is influenced by:

Exploitability: High (around 70–80 percent on vulnerable, reachable instances) because both XSS and arbitrary file upload vulnerabilities have clear, well-documented exploitation paths once preconditions (such as authentication, where required) are met.

Attack surface: Organizations that expose ScadaBR web interfaces to the internet or shared IT networks create a sizable attack surface; for ICS adopters of OpenPLC ScadaBR, 40–60 percent of deployments may be exposed or semi-exposed depending on architecture and segmentation practices.

Exposure conditions: Environments with remote operations, vendor access, or shared network segments between IT and OT are more exposed; under such conditions, susceptibility trends toward the upper end of the 50–65 percent range.

Patch status: Because these vulnerabilities were disclosed in 2021 but are still actively exploited and now in KEV in late 2025, it is reasonable to infer that a nontrivial portion of installations remain unpatched, materially increasing susceptibility where KEV-driven remediation has not been enforced.

Numerical Frequencies and Magnitudes

All values relating to actual dollar amounts are for example/speculative purposes only. Organizations would need to take into account their own asset values, control strength, telemetry, etc., and adjust numbers accordingly.

Loss Event Frequency (LEF)

1/year (estimated)

• Justification: With TEF approximated at two exploit attempts per year against a vulnerable, reachable ScadaBR instance and an estimated vulnerability (probability of harm per contact) of 0.5, a single successful loss event per year is a reasonable speculative estimate for an organization that has not remediated these CVEs.

Vulnerability (probability of harm per contact): .5

• Justification: Well-documented exploits and the nature of the flaws support a relatively high likelihood of successful compromise per meaningful contact, moderated by the need for authentication for the file-upload issue and the possibility of partial mitigations (e.g., network segmentation, WAF rules).

Secondary Loss Event Frequency

0.7/year (estimated)

• Justification: Not all primary compromises will lead to secondary events, but SCADA server compromise can plausibly lead to follow-on misuse, process impact, or regulator/partner notifications in a substantial fraction of cases; assuming roughly 70 percent of primary loss events produce some form of secondary consequence is a reasonable speculative estimate.

Loss Magnitude

Estimated range:

• Min: $50,000

• Most Likely: $250,000

• Maximum: $2,000,000

Justification:

• Minimum covers technical investigation, cleanup of the ScadaBR server, patching and hardening, and limited downtime.

• Most likely includes extended incident response, process integrity testing and validation, potential short interruptions to operations, and internal reporting.

• Maximum accounts for more significant operational disruption of industrial processes, emergency shutdowns, and substantial revalidation or remediation work, without assuming catastrophic sector-wide impact.

Secondary Loss Magnitude (SLM)

Estimated range:

• Min: $100,000

• Most Likely: $500,000

• Maximum: $5,000,000

Justification:

• Secondary losses may include regulatory inquiries, contractual penalties, reputational damage, customer communications, or additional forensic and legal costs if the compromise affects safety-critical or regulated industrial functions.

• The upper bound represents high-impact yet plausible outcomes, such as prolonged downtime, mandated upgrades, or fines for noncompliance with sectoral or federal requirements.

Mapping, Controls, and Modeling

MITRE ATT&CK Mapping

Initial Access

T1190 – Exploit Public-Facing Application

Reference: “CVE-2021-26828 OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability … OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.” “CVE-2021-26829 OpenPLC ScadaBR Cross-site Scripting Vulnerability … allows stored XSS via system_settings.shtm.” “CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.”

Execution

T1203 – Exploitation for Client Execution

Reference: “OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.” This explicitly describes exploitation of a software vulnerability to achieve arbitrary code execution on the ScadaBR server.

NIST 800-53 Affected Controls

SI-2 — Flaw Remediation

Failure to promptly remediate known, publicly documented vulnerabilities added to CISA’s KEV catalog reflects weaknesses in flaw remediation processes for affected organizations.

Reference: “Binding Operational Directive (BOD) 22-01 … established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats.”

RA-5 — Vulnerability Monitoring and Scanning

Ongoing active exploitation of CVE-2021-26828 and CVE-2021-26829 against OpenPLC ScadaBR suggests that some organizations are not effectively identifying or tracking these vulnerabilities in their environments, indicating gaps in vulnerability monitoring and scanning.

Reference: “CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation… Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice.”

SI-10 — Information Input Validation

The presence of a stored cross-site scripting flaw in system_settings.shtm indicates insufficient validation and sanitization of user-supplied input in the ScadaBR application.

Reference: “CVE-2021-26829 … OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm.”

SC-7 — Boundary Protection

Successful exploitation of these web-facing vulnerabilities against ScadaBR servers implies that boundary protections and segmentation did not entirely prevent or contain attacker access to sensitive SCADA web interfaces.

Reference: “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise… CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing the timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice.”

Monitoring, Hunting, Response, and Reversing

Monitoring

Monitoring for exploitation of the OpenPLC ScadaBR vulnerabilities should prioritize rich telemetry from the ScadaBR web server (HTTP access, error, and application logs for system_settings.shtm and view_edit.shtm), underlying host/OS logs, network and firewall/WAF logs around exposed ICS interfaces, identity/VPN authentication logs for ScadaBR admins, and DNS egress from the server; cloud and email telemetry are secondary unless ScadaBR is internet-hosted or admins are being phished. Logging should be configured to capture complete URLs, HTTP methods, status codes, user agents, source IPs, authentication events, and, where feasible, file-upload metadata and HTTP request bodies, with elevated log levels on configuration and upload endpoints. Key indicators include unusual access to configuration pages from unfamiliar or foreign IPs, bursts of POST requests to view_edit.shtm, unexpected JSP file creation or execution paths on the server, anomalous admin logins, and new outbound connections from the ICS segment. Likely gaps include OT web servers not integrated into central SIEM, insufficient HTTP detail (no request body or upload metadata), weak identity logging for ICS admins, and poor visibility into east–west traffic around the ScadaBR host. Correlation logic should tie together scanning or blocked WAF events, successful 200/302 responses on risky endpoints, new file creation or process activity on the server, and changes in ICS traffic or HMI commands, with low-to-moderate thresholds given the typically low-volume but high-impact nature of these systems. Dashboards should highlight KEV-related exposure (ScadaBR versions, internet-facing status), exploit-attempt trends against key endpoints, and per-asset risk scores for ICS web interfaces. At the same time, validation uses controlled test traffic and simulated exploit patterns in a lab or maintenance window to confirm that alerts, correlations, and visualizations trigger as expected without overwhelming operators.

Hunting

Hunting should be driven by hypotheses such as “an external actor has exploited CVE-2021-26828/26829 to gain code execution on our ScadaBR server,” “a JSP webshell or backdoor has been uploaded via view_edit.shtm,” or “stored XSS in system_settings.shtm is being used for session hijacking or admin impersonation.” Hunters should pull telemetry from web and application logs, OS and file system logs on the SCADA BR host, network sensors (including ICS-aware monitoring, if available), VPN/identity logs for administrators, and any ICS historian or HMI command logs that may indicate unusual actions after a compromise. Detection logic can focus on rare or first-time access to configuration pages from external or non-admin IPs, POST requests with multipart/form-data uploads to view_edit.shtm, parameters indicative of script or HTML injection in system_settings.shtm, sudden appearance of new JSP files outside the baseline application set, and anomalous outbound connections or command patterns following such events. Noise is typically low because ScadaBR admin pages and file uploads should be infrequent and tightly controlled, but hunts should account for maintenance windows and legitimate upgrades to avoid false positives; tuning by known admin IP ranges, change windows, and expected configuration paths will help maintain a favorable noise-to-signal ratio.

Response

Response preparation should ensure collection of detailed HTTP and application logs for ScadaBR, OS and file system logs from the host, firewall/WAF and VPN logs, and ICS historian/HMI logs to understand if control commands were affected; responders should expect artifacts such as suspicious JSP files, modified configuration settings, unusual admin accounts or sessions, and out-of-profile network connections from the ICS segment. While the OSINT does not describe specific anti-forensic behavior, teams should be prepared to detect and investigate missing or truncated logs, unexpected log rotation, or deletion of web content as potential tampering. Event reconstruction should build a timeline from initial scanning or first contact, through exploitation of system_settings.shtm or view_edit.shtm, to any subsequent code execution, privilege changes, lateral movement, or manipulative commands issued via HMI, with DFIR findings on timing, duration of exposure, number of affected assets, and operational disruption feeding into FAIR loss estimates and updating LEF/LM assumptions. Likely containment will include isolating the ScadaBR server from external networks, revoking or resetting admin credentials, blocking risky endpoints at WAF or firewall layers, disabling file upload features where possible, and segmenting OT from IT. At the same time, patched and upgraded versions are deployed and validated. Priority artifacts include copies of uploaded JSPs, configuration files, relevant database snapshots, complete packet captures (if available) around exploitation windows, and any ICS command logs that may evidence process impact; telemetry requirements should emphasize time-synchronized, centrally collected logs across IT and OT. IR gaps to address include absent or incomplete OT logging, lack of tested playbooks for SCADA web exploitation, and insufficient coordination between IT and engineering teams. And DFIR validation strategies should include replaying sanitized HTTP requests in a lab, verifying that patched systems are no longer exploitable, and comparing pre- and post-incident baselines for both server behavior and ICS process data.

Reverse Engineering

Reverse engineering efforts should focus on any uploaded JSP payloads or additional binaries identified on the ScadaBR host, treating them as potential loaders or webshells that interpret incoming HTTP parameters, execute OS commands, or proxy further payloads, with an emphasis on understanding how they interface with the underlying ICS environment. Analysts should examine evasion techniques such as obfuscated parameter names, encoded command strings, environment checks, or attempts to blend into legitimate application directories and naming conventions. Persistence analysis should look for modified ScadaBR configuration, scheduled tasks, startup scripts, or changes in web server settings that cause malicious JSPs or helper binaries to be loaded automatically, as well as any mechanisms for regaining access if the webshell is discovered. Indicator development should extract file paths, hashes, parameter patterns, HTTP headers, and characteristic response bodies associated with the malicious components. At the same time, dynamic hooks (e.g., instrumented servlet containers, sandboxed execution of the JSP in a lab) and static hooks (e.g., decompilation, string and control-flow analysis) are used to map supported commands and data flows. Expected artifacts include new or altered JSP files, associated log entries showing their invocation, temporary files or scripts dropped during execution, and any outbound connections initiated by the payload. Additional reverse-engineering guidance includes isolating samples on dedicated analysis infrastructure, comparing malicious JSPs against known public webshell families to accelerate triage, and feeding all derived IOCs and behavioral signatures back into detection, hunting, and patch validation workflows.

CTI

From a CTI perspective, PIRs should be refined to determine whether actors exploiting these OpenPLC ScadaBR CVEs are targeting the organization’s specific industrial sector, geographies, or key partners, how often KEV-listed ICS vulnerabilities are leveraged in observed campaigns, which TTPs (e.g., exploit public-facing OT web applications, upload arbitrary server-side scripts, pivot from IT to OT) recur, and which assets (internet-facing HMIs, partner-accessible portals, admin accounts) are consistently at risk. SIR work should highlight missing IOCs such as attacker IP ranges, URLs used for staging or callbacks, and hashes of webshells or secondary payloads, call out the need for real malware/webshell samples from incidents or sandboxes, and document infrastructure relationships (shared C2 or hosting across sectors) and attribution gaps, as well as specific logs (web, OT network, VPN) required to validate suspected activity. Collection recommendations include structured OSINT monitoring of CISA KEV updates, ICS vendor advisories, threat reports, malware sandboxes, and OT-focused communities, systematic harvesting of internal telemetry related to ScadaBR and other ICS web interfaces, collaboration with relevant ISACs/ISAOs, targeted dark web monitoring for discussions of ScadaBR exploits or access sales, and continuous ingestion of network/endpoint data tied to the ICS perimeter. Mapping and analysis should cluster campaigns and infrastructure associated with OpenPLC ScadaBR exploitation, map observed TTPs to ATT&CK (e.g., exploit public-facing application, server-side script webshell usage), compare them against historical ICS exploitation patterns, and explicitly score confidence levels while identifying emerging trends such as increased focus on KEV-listed OT vulnerabilities or shifts in tooling; CTI products should use this mapping to validate or revise existing hypotheses about actor motivation and capability and to drive concrete recommendations for patching, segmentation, monitoring, and FAIR model parameter updates.

GRC and Testing

Governance

Governance should drive explicit policy updates requiring timely remediation of KEV-listed vulnerabilities on OT and ICS assets, with clear RACI for engineering, IT, and security teams, and minimum patch/compensating-control timelines for systems like OpenPLC ScadaBR. Oversight functions (risk committee, OT security steering group, internal audit) should regularly review KEV exposure for SCADA/HMI platforms, segmentation status, and exception handling, ensuring RA, PM, and PL family documents (risk assessment methodology, project/acquisition security requirements, system security plans) explicitly cover OT web applications, internet exposure, and vendor remote access. The risk register should add or update entries for “Exploitation of KEV-listed ICS/SCADA web vulnerabilities,” capturing TEF/LM ranges from the FAIR analysis, current control gaps (patch latency, segmentation weakness, limited OT logging), and planned risk treatments with due dates. Board and executive communication should include a concise summary of ScadaBR KEV exposure, current remediation progress, potential operational and safety impacts, and how management is integrating KEV monitoring and ICS hardening into ongoing risk and capital planning, using FAIR-derived ranges to contextualize potential losses and priority of investment.

Audit and Offensive Security Testing

Audit and offensive testing programs should explicitly test whether KEV-driven patch and configuration requirements are being met for ScadaBR and similar OT web applications, using the OpenPLC vulnerabilities as concrete test cases for both control design and operating effectiveness. Audit work should examine evidence of timely KEV review, risk acceptance documentation, change management for OT patches, segmentation controls, and logging coverage, flagging gaps where logs, asset inventories, or KEV tracking are incomplete or inconsistent with policy. Red and purple team exercises, as well as pen tests, should include in-scope OT DMZs and SCADA web interfaces, with controlled attempts to discover and exploit stored XSS and arbitrary file upload paths, reproduce likely attacker behaviors (e.g., webshell upload), and validate that WAF rules, access controls, and monitoring detect and block these actions. Findings should drive targeted control validation—verifying that compensating controls (segmentation, WAF, strong auth) mitigate residual risk when patching is constrained—and ensure that compliance obligations tied to ICS security, KEV remediation, and vulnerability management evidence are met with defensible artifacts and repeatable test procedures.

Awareness Training

Awareness training should be tuned to this scenario by emphasizing how weaknesses in process and behavior, rather than just user phishing, contribute to ICS exposure—such as lax adherence to patch windows, informal exceptions for “do not touch” OT systems, and unsafe practices around remote administration or default credentials. Role-specific content for OT/ScadaBR admins should stress responsibilities for tracking KEV entries relevant to their platforms, recognizing risky configurations (internet-exposed admin interfaces, weak auth), and coordinating safely with vendors and IT security on changes; for executives and risk owners, training should focus on understanding KEV-driven OT risk, trade-offs of deferring remediation, and how their decisions populate the risk register and FAIR estimates. Behavioral indicators to highlight include unexpected external requests for OT access, unplanned changes to SCADA interfaces, and ad hoc workarounds that bypass change control. While traditional phishing simulations are less central here, scenarios can be added that simulate social pressure to delay ICS patches or circumvent segmentation, with reinforcement cycles tied to quarterly KEV reviews and measured via metrics such as time-to-remediate KEV issues on OT assets, reduction in unapproved exposure of SCADA web interfaces, and adherence to documented exception and change processes.