The Cybersecurity and Infrastructure Security Agency (CISA) released an industrial control systems (ICS) advisory on May 12, 2026, warning that multiple authenticated-user vulnerabilities affect Subnet Solutions PowerSYSTEM Center. The advisory, identified as ICSA-26-132-01, highlights flaws present in PSC 2020, PSC 2024, and PSC 2026 devices, urging organizations in the energy sector to apply recommended mitigations immediately.

PowerSYSTEM Center is a widely used platform for managing and monitoring electrical substations and other critical infrastructure. It provides utilities with tools for data acquisition, event logging, and control system management. As an ICS component, any compromise could lead to severe operational disruptions, safety hazards, or even widespread power outages.

Subnet Solutions has not yet released a patch for the identified vulnerabilities, according to the advisory. CISA is coordinating with the vendor and recommends users to implement compensatory security measures until fixes are available. The authenticated nature of these flaws means an attacker would need valid credentials to exploit them, but that requirement does not eliminate the risk—insider threats, phishing campaigns, or credentials stolen through other means could make these vulnerabilities accessible to malicious actors.

Affected Products and Scope

The advisory specifically lists three product versions:

  • PowerSYSTEM Center 2020
  • PowerSYSTEM Center 2024
  • PowerSYSTEM Center 2026

All are confirmed to contain authenticated vulnerabilities that could allow an attacker with valid user credentials to escalate privileges, execute arbitrary code, or disrupt system operations. Subnet Solutions has indicated that other versions may also be impacted, but the advisory only confirms these three variants.

CISA noted that the flaws affect the core application and its web-based management interface. Because PowerSYSTEM Center often integrates with field devices like remote terminal units (RTUs) and intelligent electronic devices (IEDs), a compromise could propagate to downstream components, magnifying the impact.

The Danger of Authenticated Flaws in ICS

While unauthenticated vulnerabilities that can be exploited remotely without user interaction often grab headlines, authenticated flaws present a distinct and equally dangerous threat vector. In ICS environments, user accounts are typically granted elevated privileges to configure settings, perform maintenance, or access sensitive operational data. If an attacker manages to obtain legitimate credentials—through weak password policies, social engineering, or exploitation of other vulnerabilities—they can use these authenticated flaws to move laterally, escalate privileges, or cause physical damage.

CISA’s advisory does not disclose specific technical details, which is standard practice to give users time to apply patches before details are made public. However, the agency has characterized the vulnerabilities as carrying high risk given the critical nature of the energy sector. Typical authenticated vulnerabilities in ICS platforms include SQL injection, command injection, insecure deserialization, missing authorization checks, or cross-site request forgery. Attackers who successfully exploit such flaws could potentially rewrite device configurations, manipulate monitoring data, or issue unauthorized controls.

One of the most concerning scenarios involves an attacker escalating from an authenticated user to an administrator, gaining full control over the PowerSYSTEM Center instance. With that level of access, they could disable alarms, hide their malicious activity, and even pivot to connected substation equipment. The interconnectedness of modern grid infrastructure means a breach in one utility’s control center could cascade into regional instability.

Until Subnet Solutions releases patches, CISA has published a set of interim defensive measures that organizations should apply immediately. These align with the agency’s established “Defense in Depth” strategy for ICS security and include:

  • Minimize network exposure for all control system devices and systems, ensuring they are not accessible from the internet. Use firewalls, demilitarized zones (DMZs), and network segmentation to isolate ICS networks from corporate IT networks.
  • Enforce strong authentication policies, including multi-factor authentication where possible, and eliminate default or shared accounts. Implement least-privilege access controls so that even if an account is compromised, the damage is limited.
  • Monitor and log all access to the PowerSYSTEM Center application, paying special attention to administrative functions. Use an intrusion detection system (IDS) tuned to ICS protocols to spot anomalous behavior.
  • Conduct regular vulnerability assessments and penetration tests against the ICS environment, specifically targeting the authenticated attack surface.
  • Prepare an incident response plan that includes ICS-specific scenarios, and ensure it is tested through tabletop exercises.

If patches become available, CISA urges administrators to prioritize their deployment. The advisory also reminds users that even patched systems require continuous monitoring, as new vulnerabilities may emerge.

Industry Reaction and Broader Context

Energy companies have grown increasingly vigilant since the Colonial Pipeline ransomware attack in 2021 and the emergence of state-sponsored threat actors targeting critical infrastructure. Advisories concerning ICS equipment now prompt immediate board-level attention. A decade ago, authenticated flaws might have been downplayed because “the attacker already needs a password.” Today, security leaders understand that credentialed access is a low bar, especially with the ubiquity of phishing and credential stuffing.

Subnet Solutions is a smaller vendor, but its products run in hundreds of utility control rooms across North America, Europe, and the Middle East. While no exploitation of these particular vulnerabilities has been reported in the wild, the window between disclosure and active targeting can be alarmingly short. In 2025, CISA issued a similar advisory for Siemens Energy’s Sicam platform, and within weeks researchers detected scanning for the relevant CVE numbers from IP addresses linked to known advanced persistent threat groups.

The PowerSYSTEM Center advisory arrives amid a broader push by the U.S. government to mandate security baselines for operational technology (OT). The National Cybersecurity Strategy, coupled with directives from the Department of Energy, has placed ICS under a microscope, especially concerning supply chain integrity. Vendors face mounting pressure to adopt secure-by-design principles and provide timely patches.

What Organizations Should Do Next

If you operate Subnet Solutions PowerSYSTEM Center in any capacity, CISA’s advisory should be treated as a five-alarm fire. Even if your organization believes it has no direct internet-facing ICS components, internal threats and credential compromises remain possible. Here is a tactical checklist:

  1. Inventory Your Instances: Immediately locate every PowerSYSTEM Center deployment in your environment. Verify version numbers. If you are running 2020, 2024, or 2026, you are vulnerable; other versions may also be affected, so engage Subnet Solutions support.
  2. Isolate Critical Systems: Place all affected servers into a tightly controlled network segment. Block all inbound and outbound traffic that is not explicitly required for operational functions. Consider using application-aware firewalls that can enforce deep packet inspection of ICS protocols.
  3. Reset Credentials: Force a password change for every user account that can access PowerSYSTEM Center. Enforce complexity requirements and prohibit password reuse across systems.
  4. Enable Enhanced Logging: Turn on detailed audit logs and forward them to a security information and event management (SIEM) platform. Create alerts for any unusual access patterns, especially bulk data exports or configuration changes.
  5. Engage the Vendor: Contact Subnet Solutions through their support portal to understand the patch timeline and any available workarounds. Document your communication in case regulatory agencies require evidence of due diligence.
  6. Review Third-Party Access: If contractors or remote support teams have login capabilities, immediately reassess their need for access and enforce time-bound, just-in-time access controls.

CISA also maintains a free Cyber Hygiene scanning service that can help organizations identify internet-facing ICS assets, though PowerSYSTEM Center should never be directly connected to the internet in a well-architected environment.

The Long-Term View

The energy sector’s dependence on legacy software and hardware makes patching a complex undertaking. Many utilities schedule maintenance windows months or even years in advance; unscheduled downtime to apply a critical patch can conflict with operational priorities. That friction has led CISA and the National Institute of Standards and Technology (NIST) to push for more resilient architectures that assume compromise and contain damage through microsegmentation and zero-trust principles.

For Subnet Solutions, this advisory marks a pivotal moment. How swiftly the company delivers patches and communicates transparently with customers will shape its reputation. In a hyper-competitive ICS market where trust is paramount, lagging on security can cost vendors significant market share. Competitors are already touting their “secure by design” credentials, and utility procurement teams increasingly weigh security posture as heavily as functionality.

The advisory serves as a stark reminder that no ICS platform is immune. Even systems that require authentication can house dangerous flaws. Organizations must treat every user account, every configuration file, and every API endpoint as a potential attack vector. The mantra “assume breach” applies as much to control centers as to corporate offices.

As the 2026 hurricane season approaches, and with geopolitical tensions fueling cyber threats, the last thing the grid needs is an avoidable breach caused by unpatched vulnerabilities. CISA’s advisory is a call to action—ignore it at your own peril.