CISA has republicated two critical industrial control system (ICS) advisories affecting Programmable Logic Controllers (PLCs) that are deployed across Texas manufacturing, energy, and critical infrastructure SMBs. The advisories — ICSA-26-132-01 and ICSA-26-132-03 — cover severe vulnerabilities in ABB AC500 V3 and Fuji Electric Tellus PLCs that could allow remote attackers to manipulate industrial processes, steal cryptographic keys, or disrupt operations.
The Story in Plain English
PLCs are the "brains" of industrial equipment — the computer chips that control everything from assembly lines and conveyor systems to temperature controls in food processing plants and pressure monitoring in chemical facilities. For most Texas SMBs that use any kind of automated industrial equipment, the PLC is the system running your business.
CISA's advisory covers three specific vulnerabilities in ABB AC500 V3 PLCs (CVSS scores of 5.3 to 8.3):
- CVE-2025-2595 (CVSS 5.3) — Attackers can bypass user management and read visualization files, essentially giving them access to operational data without authentication
- CVE-2025-41659 (CVSS 8.3) — Low-privileged attackers can read and write cryptographic certificates and keys, exposing your encryption infrastructure and allowing unauthorized certificates to be trusted
- CVE-2025-41691 (CVSS 7.5) — Unauthenticated attackers can cause denial-of-service through specially crafted communication requests, essentially shutting down your industrial equipment remotely
The vulnerabilities also extend to Fuji Electric Tellus systems through ICSA-26-132-01. What makes these particularly concerning is that all three ABB vulnerabilities are exploitable remotely — meaning an attacker with network access to your industrial equipment can exploit them without physical access.
Why This Matters to a Texas SMB Owner
You might be thinking this is an enterprise-level concern. Let me be clear: if your business uses any automated industrial processes, this advisory is directly relevant to you.
Texas has the largest industrial base in the United States, and the vast majority of that industrial activity is conducted by small and medium businesses. From the Houston Ship Channel's chemical and petrochemical operations to Central Texas food processing, West Texas oil field operations, and Dallas-Fort Worth manufacturing corridors — PLC-controlled systems are everywhere.
Which Texas SMBs Are at Risk?
According to CISA's background information, these vulnerabilities affect the following critical infrastructure sectors:
- Chemical industry — Chemical manufacturers and distributors across Texas's major industrial corridors, including the Houston Ship Channel
- Critical manufacturing — Any SMB that manufactures products using automated production lines, CNC machines, or robotic systems
- Energy — Oil and gas operations, power generation facilities, and energy services companies across Texas
- Water and wastewater — Municipal and private water treatment facilities that use PLCs for water quality monitoring and distribution
- Food processing — Food manufacturing and processing facilities in Central and East Texas
- Bulk chemicals — Storage and distribution operations that require precise process control
The Cost of an Industrial Control Breach
For SMBs, the cost of an industrial control system breach is often existential:
- Production downtime — Industrial equipment that's been compromised may need to be completely rebuilt, not just patched
- Safety risks — Manipulated PLCs can cause physical damage to equipment or endanger workers
- Product integrity — Food processing and chemical manufacturing facilities that have been manipulated face immediate regulatory and liability exposure
- Business continuity — Many SMBs can't afford more than a few days of production downtime before facing financial catastrophe
Exploitation Risk Assessment
While CISA noted that ABB had not received reports of active exploitation at the time of the advisory's issuance, the remote exploitability of these vulnerabilities means they are actively exploitable by anyone with network access to the affected systems. The CVSS 8.3 rating on the certificate theft vulnerability (CVE-2025-41659) is particularly concerning because it means an attacker who gains low-level access can escalate to full control of the cryptographic infrastructure.
The key question for Texas SMBs is: is your industrial control network truly isolated from your business network? Many SMBs make the mistake of connecting their industrial equipment to their general network for convenience — and that connection is exactly what an attacker needs to exploit these vulnerabilities.
Compliance and Legal Implications for Texas SMBs
OSHA and Safety Implications
Manipulated industrial equipment isn't just a cybersecurity issue — it's a worker safety issue. OSHA's General Duty Clause requires employers to provide a workplace free from recognized hazards. A compromised PLC controlling pressure, temperature, or mechanical systems directly triggers this requirement.
Texas SB 2610 — Industrial SMBs Are Covered
Texas Senate Bill 2610 applies to SMBs across all industries, including those with industrial control systems. Your ICS security posture is part of your "reasonable cybersecurity practices" under the law. If you can't demonstrate adequate ICS security controls and you're breached through a known PLC vulnerability, your safe harbor position is significantly weakened.
Regulatory Cascading Impact
- NERC CIP — Energy sector SMBs may be subject to NERC CIP requirements for ICS security
- EPA — Water and wastewater facilities must maintain process control integrity for environmental compliance
- DOJ/ATF — Manufacturing facilities that produce controlled items must maintain chain-of-custody controls in their production systems
- SOC 2 — Any SMB with SOC 2 certification must demonstrate adequate ICS security controls to auditors
What CYFORi Would Do
When we see ICS advisories like this, our standard recommendation to Texas SMBs is immediate assessment and remediation:
1. Audit Your PLC Inventory
Many Texas SMBs don't have a complete inventory of their PLC infrastructure. We recommend immediately identifying all PLCs, HMIs, and SCADA systems in your facility and determining whether they use ABB AC500 V3 or Fuji Electric Tellus products. This is not a theoretical exercise — it's an immediate operational requirement.
2. Network Isolation Assessment
Verify that your industrial control network is truly isolated from your business network. CISA explicitly recommends that "process control systems are physically protected, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed."
3. Patch Management for ICS
ICS patching is different from IT patching.** Industrial systems can't always be patched without production impact. We recommend working with your system integrator to develop a patching strategy that minimizes downtime while addressing the most critical vulnerabilities.
What a Texas SMB Should Do This Week
- Inventory your industrial control equipment — Identify all PLCs, HMIs, and SCADA systems
- Check vendor specifications — Determine if your equipment uses ABB AC500 V3 or Fuji Electric Tellus products
- Assess network isolation — Verify your ICS network is isolated from your business network
- Contact your system integrator — Discuss patching and upgrade options for your specific equipment
- Update your ICS incident response plan — Ensure your IR procedures account for industrial control system compromise
Is Your Industrial Infrastructure Protected?
CYFORi specializes in industrial control system security for Texas SMBs. We help you assess, protect, and monitor your ICS infrastructure against threats like the vulnerabilities outlined in today's CISA ICS advisories.