A functional version of this malware could manipulate water treatment chemistry and hydraulic systems, creating direct risk to public health and physical infrastructure integrity — not a data breach, but a potential safety incident. For water utilities, a confirmed sabotage event triggers mandatory reporting obligations under EPA and DHS frameworks, carries significant reputational exposure, and could result in regulatory enforcement action. The current build is non-functional, but the narrow gap between the existing code and an operational payload means the window for preventive action is short.
You Are Affected If
You operate water treatment or desalination OT/ICS systems, particularly in Israeli critical infrastructure
Your ICS environment includes devices communicating via Modbus, DNP3, or S7comm protocols
USB ports are enabled and uncontrolled on OT workstations or engineering laptops with ICS access
Your OT network lacks segmentation that would prevent a compromised Windows host from issuing protocol commands to PLCs or RTUs
You have not reviewed removable media access logs or OT network traffic baselines against ZionSiphon indicators from the Darktrace report
Board Talking Points
Researchers have discovered malware built specifically to sabotage water treatment systems — it is currently non-functional due to a coding error, but the core capability is complete and could be corrected and redeployed at any time.
Water sector OT operators should complete a defensive posture review against published Darktrace indicators and CISA water sector guidance within the next two weeks, before this malware is corrected and redistributed.
If no action is taken and a functional version is deployed against an undefended system, the potential consequences include compromised water safety, physical infrastructure damage, regulatory enforcement, and public health liability.
EPA America's Water Infrastructure Act (AWIA) — water utilities serving more than 3,300 people are required to conduct risk and resilience assessments and notify EPA of cybersecurity incidents; a confirmed ZionSiphon deployment would trigger incident reporting obligations
CISA Critical Infrastructure Protection — water and wastewater systems are designated critical infrastructure; operators should report confirmed malware detections to CISA and the WaterISAC per sector-specific guidance
