Iran-Linked Hackers Target U.S. Water and Energy Systems Through Exposed Industrial Controllers

Federal cybersecurity agencies are warning that Iran-affiliated hackers are actively exploiting weaknesses in the industrial control systems that underpin America’s water and energy infrastructure, signaling a renewed focus on operational disruption rather than simple espionage.

In a joint advisory released, a coalition that includes the Cybersecurity and Infrastructure Security Agency, National Security Agency, Federal Bureau of Investigation, U.S. Cyber Command, Department of Energy, Environmental Protection Agency, and Cyber National Mission Force outlined an ongoing campaign targeting programmable logic controllers, or PLCs. These industrial devices manage everything from water treatment processes to electricity distribution.

The alert highlights a growing concern inside Washington and across critical infrastructure sectors. Systems that were never designed to be exposed to the internet are now accessible online, creating a direct pathway for attackers into operational technology environments.

Internet-Exposed Controllers Become a Prime Entry Point

At the center of the warning is a simple but dangerous reality. Many PLCs remain directly reachable from the public internet, often without basic authentication controls. That exposure significantly lowers the barrier for attackers.

Steve Cobb, Chief Information Security Officer at SecurityScorecard, described the campaign as both opportunistic and increasingly disruptive.

“The FBI, NSA, CISA, and the Department of Energy confirmed what the broader targeting pattern already suggested: Iran-affiliated APT actors are inside U.S. water utilities, energy systems, and local government networks. The same campaign that hit FBI Director Kash Patel's personal email and disrupted Stryker's manufacturing operations has reached publicly exposed programmable logic controllers and SCADA displays across critical infrastructure.”

Cobb emphasized that attackers are doing more than gaining access. They are actively manipulating systems and extracting sensitive data.

“The advisory notes hackers altered display data and pulled device project files in some intrusions. That combination, visible disruption plus data extraction, raises the operational stakes beyond a simple defacement. Operators lose confidence in what their systems are actually telling them.”

That loss of trust in system data is a critical risk in industrial environments, where inaccurate readings can lead to delayed responses or incorrect operational decisions.

Rockwell Automation Systems in Focus

The advisory specifically calls out PLCs produced by Rockwell Automation, a major supplier of industrial control systems widely deployed across U.S. infrastructure. Officials said these devices are currently being exploited, though systems from other vendors may also be at risk.

A recently cataloged vulnerability affecting Rockwell’s industrial control products appears to be part of the attack surface. Federal agencies urged organizations using these systems to review logs for suspicious activity and to remove any control interfaces exposed to the internet.

Ed Moreland, vice president of government affairs and corporate communications at Rockwell Automation, said the company is coordinating with federal partners.

“Rockwell Automation takes seriously the security of its products and solutions and has been closely coordinating with government agencies.”

Echoes of Earlier Iranian Cyber Campaigns

While the advisory does not name a specific threat group, officials noted similarities to past operations attributed to CyberAv3ngers, a group linked to Iran’s Islamic Revolutionary Guard Corps.

That group previously breached U.S. water utilities in 2023, defacing control panels and exploiting Israeli-made equipment. Those incidents followed heightened tensions in the Middle East, suggesting a pattern of cyber activity tied to geopolitical events.

Current intelligence indicates that activity has escalated again amid rising tensions involving Iran and U.S. allies.

Cobb pointed to timing as a key factor.

“Iran-linked actors are running these operations while geopolitical tensions are running at their highest point in years. The timing is deliberate.”

Energy Sector Moves to Heightened Alert

The warning has triggered rapid coordination across the energy sector. The North American Electric Reliability Corporation’s Electricity Information Sharing and Analysis Center issued an industry-wide alert urging increased vigilance.

Kimberly Mielcarek, vice president at the organization, confirmed that monitoring efforts have intensified.

“Our Watch Operations team is actively monitoring the grid, while we continue to coordinate closely with the Department of Energy, the Electricity Subsector Coordinating Council, and our federal and provincial partners.”

A Department of Energy spokesperson said the agency is working alongside federal partners to provide actionable mitigation guidance to affected organizations, though specific targets have not been publicly disclosed.

Low Complexity, High Impact Attacks

One of the most concerning aspects of the campaign is its lack of technical complexity. According to federal guidance, many of the exploited systems require little sophistication to access once exposed online.

“The advisory identifies the entry point: controllers accessible from the public internet, with no authentication between an attacker and operational control,” Cobb said. “These are systems that were never designed to be network-facing and ended up there anyway. No sophistication required.”

This dynamic underscores a persistent challenge in operational technology security. Legacy systems often prioritize uptime and reliability over modern security controls, leaving them vulnerable when connected to broader networks.

A Persistent National Security Challenge

Retired U.S. Army Lieutenant General Ross Coffman, now president of Forward Edge-AI, framed the activity as part of a broader strategic effort by Iran to test U.S. defenses across multiple domains.

“Iran using cyberattacks to probe and impact American utilities should come as no surprise. Iran is using its long-range targeting tools to fight in every domain possible. We must continue to harden our cyber defenses and remind employees that they are the first line of defense. Our government's cyber professionals are the best in the world, so Iran is probing daily to find an exposed flank.”

Mitigation Comes Down to Fundamentals

Federal agencies are urging organizations to take immediate steps to reduce risk. Key recommendations include removing industrial control systems from direct internet exposure, implementing strong access controls, and improving monitoring of operational technology environments.

The advisory reinforces a broader message that continues to surface across cybersecurity guidance. Many of the most serious risks to critical infrastructure stem not from advanced exploits, but from basic exposure and limited visibility.

For operators of water systems, energy grids, and industrial networks, the current campaign is a reminder that geopolitical conflict increasingly plays out in code and connectivity. And in many cases, the path in is still wide open.