The Cybersecurity and Infrastructure Security Agency (CISA) has released ten new industrial control systems (ICS) advisories, underscoring continued risks to critical infrastructure even as the agency faces funding cuts and staff reductions. The advisories, published on August 7, cover vulnerabilities in widely used products from Delta Electronics, Johnson Controls, Rockwell Automation, Yealink, and others.

The agency said the advisories provide “timely information about current security issues, vulnerabilities, and exploits” in ICS environments and urged administrators to review the technical details and apply mitigations. Affected systems include Delta Electronics DIAView, Johnson Controls FX80 and FX90, Burk Technology ARC Solo, Rockwell Automation Arena, Packet Power EMX and EG, Dreame Technology iOS and Android apps, EG4 Electronics EG4 Inverters, Yealink IP Phones and RPS, Instantel Micromate, and Mitsubishi Electric Iconics Digital Solutions.

Security researchers warn that the stakes are high when it comes to patching flaws in ICS products. Nic Adams, co-founder and CEO at 0rcus, described ICS vulnerabilities as “latent kill switches built into the machinery that runs cities, grids, and factories,” adding that “CISA’s advisories are valuable, however, real impact depends on whether operators can execute effective patching and hardening in live environments.”

Experts also note the government’s limited capacity leaves gaps in protection. Evan Dornbush, CEO at Desired Effect, said that “with CISA’s diminished capacity, the responsibility of cybersecurity has been pushed to state and local governments, many of which are already underfunded and ill-equipped to handle these threats – and the hackers know it.”

He added that “while government efforts are strained, non-governmental initiatives are stepping up to fill the void,” pointing to groups like the Civilian Reserve Information Sharing and Analysis Center and DEF CON’s Franklin program, which now supports thousands of U.S. water systems.

CISA emphasized the need to isolate ICS devices from business networks, reduce internet exposure, and apply patches as they become available, but experts warn that the window between disclosure and action remains a critical opportunity for attackers.