When six federal agencies simultaneously issue an emergency advisory, itβs time to pay attention.
On April 7, 2026, the FBI, CISA, NSA, EPA, Department of Energy, and U.S. Cyber Commandβs Cyber National Mission Force published a joint advisory with an unusually direct message: Iranian-affiliated threat actors are actively disrupting industrial control systems at U.S. critical infrastructure facilities β right now.
The targets: water and wastewater systems, energy facilities, and government buildings. The method: exploiting programmable logic controllers (PLCs) that someone left exposed directly on the internet.
Whatβs Happening
Since at least March 2026, an Iranian-affiliated APT group has been conducting intrusion operations against organizations across multiple critical infrastructure sectors in the United States. Unlike typical data-theft operations, these actors are specifically going after operational technology β the industrial equipment that controls physical processes.
The impacts documented by federal investigators include:
- Manipulation of configuration files containing operational settings for industrial equipment
- False data displayed on operator dashboards, causing incorrect readings of pressure, flow, chemical levels, and other physical parameters
- Operational disruptions causing equipment to behave abnormally
- Financial losses at affected organizations
The primary affected sectors named in the advisory:
| Sector | Example Exposure |
|---|---|
| Water and wastewater | Pumping stations, chemical dosing systems, treatment controls |
| Energy | Substation automation, generation control equipment |
| Government facilities | Building management systems, HVAC controllers |
How Programmable Logic Controllers Work β and Why Theyβre Vulnerable
PLCs are the embedded computers that run industrial processes. In a water treatment plant, a PLC might control chemical injection pumps. In an electrical substation, PLCs manage switching operations. In a government building, they might control ventilation, fire suppression, or access control systems.
These devices were designed in an era before internet connectivity was routine. They were built to be reliable and durable, not secure. Their authentication mechanisms are often minimal β a password on a web interface, if that. Their firmware is rarely updated. And critically, they were designed to sit inside air-gapped or firewalled industrial networks β not exposed directly to the public internet.
But they increasingly are exposed. Digital transformation initiatives, remote monitoring requirements, and cost-cutting in IT/OT integration have left thousands of PLCs reachable from anywhere on earth with an internet connection.
The Iranian threat actors in this campaign are scanning for exactly these devices.
The Attack Chain
Based on the joint advisory and supporting threat intelligence, the observed attack chain follows a consistent pattern:
-
Internet scanning: Automated tools scan the internet for PLCs with exposed web management interfaces, Modbus/TCP ports, EtherNet/IP, or other industrial protocols.
-
Authentication bypass or brute force: Many PLCs have weak or default credentials, or known authentication bypass vulnerabilities that have never been patched.
-
Configuration manipulation: Once access is obtained, attackers modify software configuration files β changing setpoints, disabling alarms, or altering operational parameters.
-
Dashboard spoofing: Attackers display false sensor data to human operators, masking the actual state of the physical process. This can cause operators to either take harmful actions or fail to take necessary protective actions.
-
Disruption: Physical processes are disrupted β equipment is damaged, processes are halted, or safety systems are bypassed.
Why Iran? Why Now?
Iranian state-sponsored cyber operations against U.S. critical infrastructure are not new. The same pattern β targeting water systems, energy infrastructure, and government facilities β has been observed in previous Iranian campaigns including operations by groups affiliated with the Islamic Revolutionary Guard Corps (IRGC).
The timing (MarchβApril 2026) coincides with elevated geopolitical tensions in the region. Iranian-affiliated cyber operations have historically surged during periods of diplomatic pressure or military escalation.
The joint advisory did not attribute the campaign to a specific named threat group, but the tactics, techniques, and procedures (TTPs) are consistent with Iranian APT actors that have previously targeted operational technology.
The Specific Threat: Internet-Exposed PLCs
The advisoryβs primary technical finding is stark: these attacks work because PLCs are directly reachable from the public internet.
This is both the root cause and the fix. A PLC sitting behind a properly configured firewall, VPN gateway, or industrial DMZ is not reachable by external attackers regardless of its authentication weaknesses. The entire campaign depends on finding devices that someone left exposed.
The advisory identified that if a PLC or OT device is reachable from the public internet without a controlled intermediary β a firewall, secure gateway, or VPN β that exposure should be closed immediately.
For devices with physical mode switches or software key switches that prevent remote modification, the advisory recommends activating those controls as a defense-in-depth measure.
What This Means for Smart Home and Small Business Owners
You might be thinking: I donβt operate a water treatment plant. Why does this matter to me?
Three reasons:
1. Small-scale OT is in your community. The water that comes out of your tap, the electricity in your home, the HVAC in your office building β all of these are controlled by equipment thatβs targeted in this campaign. Successful attacks on water treatment can affect drinking water quality. Grid disruptions affect your home.
2. The same exposure pattern affects home systems. Smart home automation hubs, home energy management systems, and residential solar inverters increasingly use the same types of industrial protocols and remote access patterns that make PLCs vulnerable. If your home automation system is directly internet-exposed without a VPN, you have a similar problem at a smaller scale.
3. IoT devices in your supply chain. If you work for or with any organization in critical infrastructure, utilities, or government, understanding this threat helps you ask the right questions about OT security practices at your employer or suppliers.
Immediate Actions Recommended by the Advisory
The joint advisory provides specific hardening guidance for affected organizations. For a broader audience, the translatable principles are:
Remove internet exposure for control systems. Any device that controls a physical process should not be directly reachable from the public internet. Route access through a VPN or zero-trust gateway.
Activate physical mode switches. For PLCs and similar devices that have physical switches restricting remote configuration changes, activate them.
Enable multi-factor authentication. Any remote access to OT/ICS environments should require MFA. Single-factor authentication to industrial systems is no longer acceptable.
Implement network segmentation. OT networks should be isolated from IT networks and from the internet. Flat networks that allow direct communication between corporate systems and industrial equipment are a significant risk.
Monitor for configuration changes. Establish a baseline of normal PLC configuration and alert on any deviation. Attackers modifying setpoints will appear as configuration changes.
Log and monitor access. Maintain logs of all access to industrial control systems. Establish alerting for access from unexpected IP ranges or at unusual hours.
The Broader Pattern
This advisory lands just weeks after a series of major OT/infrastructure incidents: Sandwormβs DynoWiper attack on Polish power grid facilities in December 2025, the FCCβs ban on foreign routers following Chinese state actor campaigns, and the DOEβs release of its first 5-year grid cybersecurity roadmap.
The pattern is clear: state-level threat actors have made critical infrastructure OT a primary targeting category. The era when industrial control systems could be secured through obscurity β βnobody knows these systems existβ β is definitively over.
Sources
- CISA/FBI/NSA/EPA/DOE Joint Advisory
- EPA: Federal Agencies Issue Joint Advisory on Iranian-Affiliated Cyber Attacks
- OPSWAT: FBI & CISA Release Joint Advisory on State-Affiliated Exploitation of Internet-Facing PLCs
- Industrial Cyber: CISA, FBI, EPA, DOE issue joint alert on rising cyber threats to critical infrastructure OT systems
