FBI, CISA Warn Iran Is Attacking US Water and Energy PLCs

Iranian state-affiliated hackers are actively disrupting US critical infrastructure by manipulating internet-exposed programmable logic controllers. The FBI, CISA, NSA, EPA, DOE, and US Cyber Command issued joint advisory AA26-097A on April 7, warning that attacks against water treatment, energy, and government facilities have caused operational disruptions and financial losses since March 2026.

The advisory specifically names Rockwell Automation/Allen-Bradley PLCs as the primary targets. Attackers are using overseas IP addresses and legitimate configuration software to connect to exposed controllers, modify project files, and tamper with SCADA displays.

This isn't theoretical. Facilities are already compromised.

The Attack Campaign

Since at least March 2026, Iranian-affiliated APT actors have been scanning for internet-accessible PLCs across US critical infrastructure. Once they find vulnerable devices, they establish connections using Rockwell's own Studio 5000 Logix Designer software—making the malicious traffic look like legitimate maintenance.

The attackers aren't just conducting reconnaissance. They're actively manipulating:

• PLC project files - Altering the logic that controls physical processes
• HMI displays - Changing what operators see on their screens
• SCADA systems - Modifying supervisory controls for entire facilities

The joint advisory notes these modifications have already "caused operational disruption and financial loss" at targeted organizations. When PLCs controlling water treatment or power distribution behave unexpectedly—or display false readings to operators—the consequences extend beyond IT systems into physical safety.

Who Is Behind This

The advisory links the campaign to Iranian APT actors affiliated with the Islamic Revolutionary Guard Corps (IRGC). This tracks with previous activity from the CyberAv3ngers group, which we analyzed in January after CSIS documented how Iran's "hacktivist" operations are actually state-directed.

CyberAv3ngers previously targeted Unitronics PLCs at US water facilities in late 2023, leaving propaganda messages on compromised systems. The current campaign represents an escalation—from messaging to actual operational manipulation.

The advisory doesn't attribute the attacks to a specific named group, but the TTPs align with known IRGC cyber operations. Iran has been building ICS/SCADA attack capabilities for years, with documented intrusions into dam control systems, power utilities, and manufacturing facilities.

Targeted Sectors

The advisory confirms attacks across multiple critical infrastructure sectors:

• Water and Wastewater Systems - Treatment facilities, distribution systems
• Energy - Power generation and distribution infrastructure
• Government Services and Facilities - Federal, state, and local government operations

Industrial control systems in these sectors often run on legacy hardware with limited security capabilities. Many were designed for isolated networks but have been connected to the internet for remote monitoring—creating exactly the exposure Iran is exploiting.

CISA previously added Rockwell Automation vulnerabilities to the KEV catalog in March, warning about CVE-2021-22681's credential bypass. The current attacks may leverage similar authentication weaknesses to gain unauthorized PLC access.

Immediate Mitigations

The advisory provides specific defensive actions:

1. Disconnect internet-exposed PLCs - If a PLC doesn't need internet access, remove it. Period.
2. Enable multi-factor authentication - On all remote access pathways to OT networks
3. Apply security patches - Follow Rockwell Automation's guidance in SD1771
4. Monitor suspicious ports - Especially 44818, 2222, 102, and 502 from overseas IPs
5. Implement network segmentation - Isolate OT systems from IT networks and the internet
6. Audit PLC configurations - Check for unauthorized changes to project files

Rockwell Automation's SD1771 advisory reiterates that internet-connected PLCs represent unacceptable risk. The company has been warning customers since 2023 to disconnect devices that don't require external access.

Why Organizations Fail to Act

Every ICS security advisory says "disconnect from the internet" and "segment your networks." Yet internet-exposed PLCs remain common. The reasons are depressingly predictable:

• Remote monitoring convenience - Operators want to check systems from home
• Vendor maintenance access - Third parties require connectivity for support
• Integration requirements - Business systems need OT data for reporting
• Resource constraints - Proper segmentation requires network redesign

None of these justify the risk. A VPN or bastion host provides remote access without direct internet exposure. Vendor support can work through secure channels. Data can flow one-way from OT to IT.

The alternative is what's happening now: nation-state actors manipulating the systems that control water treatment, power generation, and industrial processes. The advisory makes clear this isn't a future threat—it's current operations causing real damage.

Detection Guidance

Organizations should review logs for:

• Connections to PLCs from unfamiliar IP addresses, particularly overseas hosting providers
• Studio 5000 or similar configuration software connecting at unusual times
• PLC configuration changes that weren't authorized through change management
• Discrepancies between HMI displays and actual process state

The joint advisory includes specific ports to monitor but doesn't publish IOCs like IP addresses or file hashes. Organizations in affected sectors should contact CISA directly for additional threat intelligence through the ICS-CERT portal.

For deeper background on Iran's OT targeting capabilities, review our guide to nation-state ICS threats and monitor CISA's ICS advisories for ongoing updates.