Campaign Overview

Since at least March 2026, Iranian-affiliated cyber actors have been conducting targeted attacks against internet-exposed programmable logic controllers (PLCs) across multiple US critical infrastructure sectors. A joint advisory issued by CISA, FBI, NSA, the Environmental Protection Agency, the Department of Energy, and US Cyber Command confirms active disruption of PLC functionality at operational sites.

The campaign escalation is assessed as a response to geopolitical tensions in the Middle East. The actors involved — assessed with high confidence to include groups affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) — have a documented history of opportunistic ICS targeting that intensifies during periods of Iranian-US or Iranian-Israeli escalation.

This is not a new capability. Iranian threat actors have been attacking OT-connected infrastructure since at least 2021. What is new is the scope and the intent: the current campaign is causing measurable operational disruption rather than merely demonstrating access.

Affected Sectors

Water and wastewater systems represent the highest proportion of confirmed incidents. Many smaller water utilities operate internet-connected SCADA systems and PLCs with default or weak credentials as a matter of routine — the combination of limited IT staffing, legacy infrastructure, and constrained budgets has created a broad attack surface that Iranian actors have systematically mapped and exploited.

Energy sector installations — primarily smaller regional distribution systems and substations — have been targeted for reconnaissance and limited disruption. The advisory notes that full operational disruption of energy delivery has not been achieved, but access sufficient for disruption has been confirmed at several sites.

Government services — including public-facing operational systems such as traffic management infrastructure, building management systems, and municipal water controls — represent the third confirmed sector.

Initial Access: How the Attacks Work

Iranian actors in this campaign are not using sophisticated zero-days. The initial access methodology relies almost entirely on two factors:

Default and weak credentials on internet-exposed interfaces. Siemens S7-1200, Allen-Bradley ControlLogix, and Unitronics Vision series PLCs — all of which have web-based engineering interfaces accessible over standard HTTP/HTTPS — are being accessed using factory-default credentials or credentials common to a specific device generation. Many of these devices have been internet-exposed since initial installation and have never had their access credentials changed.

Vulnerable remote access and HMI software. Where direct PLC web interfaces are not accessible, Iranian actors are exploiting vulnerabilities in HMI software and remote access clients — including several CVEs disclosed in 2024-2025 for Weintek HMIs, AVEVA System Platform, and Inductive Automation Ignition.

The attack pattern once access is achieved:

  1. Enumerate connected devices on the OT network segment
  2. Identify PLCs and HMI screens with write access
  3. Modify operational parameters — setpoints, alarm thresholds, output commands
  4. In some cases, push modified ladder logic to overwrite existing PLC programs

In the water sector incidents, modifications included changes to chemical dosing setpoints and pump control parameters. No incidents meeting the threshold for a public health emergency have been confirmed, but the proximity to such a threshold in several cases prompted the joint advisory.

Why Internet-Exposed PLCs Remain Such a Large Attack Surface

The advisory’s technical appendix quantifies the exposure: Shodan and equivalent internet scanning services currently index over 13,000 internet-accessible industrial control system interfaces in the US alone, across water utilities, energy distribution, manufacturing, and government operations. A significant fraction of these have default credentials, no authentication layer, or use unencrypted Modbus/DNP3 protocols with no integrity protection.

The ICS security community has warned about this attack surface for over a decade. The reasons it persists are structural:

Asset owner capability gaps. Small water utilities and municipal operators frequently lack dedicated IT staff, let alone OT security expertise. The teams maintaining these systems are civil engineers and process operators — the network exposure is often invisible to them.

Legacy architecture. Systems installed in the 2000s and 2010s were engineered before operational technology internet connectivity was common. Retroactively securing them is expensive, disruptive to operations, and often technically complex due to undocumented dependencies.

Procurement cycles. Capital equipment in water and energy infrastructure operates on 20-30 year lifecycle timelines. Replacing vulnerable legacy PLCs with hardened modern equivalents is a multi-year, multi-million dollar programme that most operators cannot prioritise over service delivery.

Immediate Mitigation Priorities

CISA’s advisory lists specific mitigations for asset owners operating internet-connected OT infrastructure. The most critical, in order of impact:

1. Remove internet exposure from OT interfaces. PLCs, HMIs, and SCADA servers should not be directly internet-accessible. Where remote access is operationally necessary, it must be through a secured VPN gateway with MFA — not direct internet connectivity. Audit your internet-accessible attack surface using Shodan queries for your IP ranges before an adversary does it for you.

2. Change default credentials immediately. Every PLC, HMI, and OT network device in your environment should have its default credentials changed to unique, complex passwords. For legacy devices that cannot store complex credentials, implement network-level access control as a compensating measure.

3. Segment OT from IT and from the internet. Where complete internet removal is not immediately achievable, implement strict network ACLs between the internet-facing network, the IT network, and the OT network. PLCs and HMIs should not be reachable from the corporate network except through explicitly permitted and monitored paths.

4. Implement out-of-band monitoring. Deploy passive OT network monitoring (tools such as Dragos, Claroty, Armis, or Nozomi Networks) on the OT network to detect anomalous commands, configuration changes, and unexpected connections. Iranian actors’ PLC modification activity is visible to passive OT monitoring — but only if that monitoring is deployed.

5. Harden Unitronics and Siemens S7 devices specifically. The advisory specifically calls out Unitronics Vision series and Siemens S7-1200 as high-frequency targets. Firmware updates for both platforms that disable unused protocols and enforce credential complexity have been available since 2024.

Operational Impact Assessment

The confirmed operational impacts in the March-May 2026 campaign period include:

  • Temporary shutdown of water treatment dosing systems requiring manual operator intervention
  • Modification of pump control programmes at three municipal water facilities
  • HMI screens defaced with politically motivated messages (consistent with prior Iranian hacktivist activity)
  • Energy distribution SCADA access confirmed at two sites, no confirmed operational disruption

The disruptions achieved to date are operationally recoverable — they require manual operator intervention but have not caused sustained service failure. The concerning scenario is not the current campaign’s impact but its trajectory: the technical access achieved in 2026 could be used for more severe disruption in the event of significant geopolitical escalation.

Reporting

Critical infrastructure operators who believe they have been targeted by this campaign should report to CISA’s 24/7 Operations Centre at (888) 282-0870 or [email protected]. Sector-specific information sharing organisations (WaterISAC, E-ISAC for energy) are also disseminating technical indicators from the joint advisory to members.

Tags
IranAPTPLCwaterenergyOTcritical-infrastructureCISAFBIICS-CERT