Following up on this alert from the FBI, U.S. cybersecurity and intelligence agencies, including the FBI, NSA, and CISA, have issued a joint warning that Iranian-linked hackers are actively targeting critical infrastructure across the United States, with a focus on water, wastewater, energy, and government systems.
The activity has escalated since last month, with confirmed incidents resulting in operational disruptions and financial losses.
The attacks specifically target internet-exposed programmable logic controllers and industrial control systems used to operate infrastructure, including Rockwell/Allen-Bradley devices. Threat actors have been observed manipulating system data and extracting project files, with the stated intent of causing disruptive effects within U.S. systems.
Officials said the campaign spans multiple sectors and organizations nationwide, though the total number of impacted entities has not been disclosed. The advisory was issued by a coalition of federal agencies, including the Department of Energy and U.S. Cyber Command, as investigations into the activity remain ongoing.
Sunil Gottumukkala, CEO, Averlon:
“ICS security matters because it underpins physical operations, so a compromise can mean real-world disruption, not just data loss. Many of the systems being targeted were never designed to be secured or updated at the pace modern threats require, and they still rely on legacy infrastructure where monitoring is limited and patching isn’t always feasible without operational impact.
“Even when these systems aren’t directly exposed, they’re often connected through upstream systems, remote access, or vendor pathways that attackers can leverage as part of a broader attack chain. As threat activity increases and AI accelerates reconnaissance and exploit development, the response window continues to shrink while the ability to safely respond remains constrained.”
Damon Small, Board of Directors, Xcape, Inc.:
“The targeted disruption of US water and energy utilities is the inevitable outcome of treating critical national infrastructure like a public Wi-Fi hotspot. By leveraging legitimate engineering tools like Rockwell’s Studio 5000 to manipulate project files, Iranian-linked actors have demonstrated that an Internet-exposed programmable logic controller (PLC) is not a poor technical design – it is a pre-staged kinetic weapon. Security leaders must acknowledge that these “nuisance” disruptions are live-fire exercises for more catastrophic escalations that exist entirely outside the bounds of diplomatic ceasefires. The primary business risk has shifted from simple uptime to the physical safety of the communities these utilities serve.
“Teams must immediately pull every PLC off the public Internet and isolate them behind a Zero Trust gateway or authenticated VPN. For Rockwell CompactLogix and Micro850 series devices, operators should physically set the controller mode switch to the RUN position to block remote logic changes. Organizations must audit for exposed industrial ports such as 44818 and 2222 and rotate all default credentials across the OT environment. Failing to remove these systems from public view is an open invitation for geopolitical adversaries to use your operational uptime as a diplomatic bargaining chip.
“In short, the cease-fire will not stop our adversaries from attacking the United States’ critical infrastructure, and this will lead to the unavailability of these services, or worse, to incidents that lead to loss of life and limb.
“If your water treatment plant or refinery is searchable on the Internet, you are not running a utility; you are hosting a digital sandbox for the IRGC.”
Denis Calderone, CTO, Suzu Labs:
“When CyberAv3ngers hit Unitronics PLCs back in 2023, it looked like hacktivism. They put political messages on water system displays and moved on. What today’s six-agency advisory describes is different. We warned in March that organizations in energy, water, and government should be actively hunting for pre-positioned access. Today’s advisory confirms that’s exactly what’s been happening, and in some cases has already caused operational disruption and financial loss.
“Today, we’re seeing the threat actors conducting fairly surgical operations, using Studio 5000 Logix Designer, which is Rockwell Automation’s own PLC programming software, to interact with CompactLogix and Micro850 controllers at the file object level. They’re extracting the programming logic that controls physical processes and manipulating data on HMI and SCADA displays. Think about what that means for a water treatment operator or a power plant engineer. If your display is showing you normal pressure, flow, or chemical dosing levels and the actual values are different, you’re making operational decisions based on false data. That’s how equipment damage and safety incidents happen.
“Now, the advisory specifically calls out Rockwell Automation and Allen-Bradley, and that makes sense because Rockwell holds roughly 35 to 40 percent of the US PLC market. But don’t let the Rockwell focus distract you. The indicators of compromise in the advisory include traffic on port 102, which is S7comm, and that’s a Siemens protocol. The advisory itself says ‘potentially other branded PLCs’ are at risk.
“If you’re running Siemens, Schneider, or any other PLC platform and assuming this doesn’t apply to you, look at the port list again: 44818 for EtherNet/IP (Rockwell and others), 102 for S7comm (Siemens), 502 for Modbus (most PLCs). Those protocols are from multiple manufacturers, proving that this is more than just a Rockwell problem.
“The prescriptive advice here is straightforward. PLCs should never be directly accessible from the internet, period. The advisory confirms that the attackers are simply connecting to internet-exposed devices using overseas IP addresses. But internet isolation alone isn’t enough. Controllers and SCADA infrastructure should sit behind properly segmented OT network zones with monitored firewall boundaries between IT and OT environments.
“If you have PLCs on flat networks that IT workstations can reach directly, you have a problem. Modbus TCP has essentially zero security controls built in. That protocol originates from 1979 when these were closed systems. Review logs now for suspicious traffic on ports 44818, 2222, 102, 22, and 502. And if you’re running Rockwell devices, reach out to Rockwell through their existing support channels for specific mitigation guidance tied to this advisory.”
The fact that all these agencies are warning about this should show you how serious this problem is. And to be clear, this is a today problem that requires immediate action. Otherwise really bad things will happen.
U.S. agencies warn of Iranian hackers targeting water and energy systems
Posted in Commentary with tags Iran, US on April 9, 2026 by itnerdFollowing up on this alert from the FBI, U.S. cybersecurity and intelligence agencies, including the FBI, NSA, and CISA, have issued a joint warning that Iranian-linked hackers are actively targeting critical infrastructure across the United States, with a focus on water, wastewater, energy, and government systems.
The activity has escalated since last month, with confirmed incidents resulting in operational disruptions and financial losses.
The attacks specifically target internet-exposed programmable logic controllers and industrial control systems used to operate infrastructure, including Rockwell/Allen-Bradley devices. Threat actors have been observed manipulating system data and extracting project files, with the stated intent of causing disruptive effects within U.S. systems.
Officials said the campaign spans multiple sectors and organizations nationwide, though the total number of impacted entities has not been disclosed. The advisory was issued by a coalition of federal agencies, including the Department of Energy and U.S. Cyber Command, as investigations into the activity remain ongoing.
Sunil Gottumukkala, CEO, Averlon:
“ICS security matters because it underpins physical operations, so a compromise can mean real-world disruption, not just data loss. Many of the systems being targeted were never designed to be secured or updated at the pace modern threats require, and they still rely on legacy infrastructure where monitoring is limited and patching isn’t always feasible without operational impact.
“Even when these systems aren’t directly exposed, they’re often connected through upstream systems, remote access, or vendor pathways that attackers can leverage as part of a broader attack chain. As threat activity increases and AI accelerates reconnaissance and exploit development, the response window continues to shrink while the ability to safely respond remains constrained.”
Damon Small, Board of Directors, Xcape, Inc.:
“The targeted disruption of US water and energy utilities is the inevitable outcome of treating critical national infrastructure like a public Wi-Fi hotspot. By leveraging legitimate engineering tools like Rockwell’s Studio 5000 to manipulate project files, Iranian-linked actors have demonstrated that an Internet-exposed programmable logic controller (PLC) is not a poor technical design – it is a pre-staged kinetic weapon. Security leaders must acknowledge that these “nuisance” disruptions are live-fire exercises for more catastrophic escalations that exist entirely outside the bounds of diplomatic ceasefires. The primary business risk has shifted from simple uptime to the physical safety of the communities these utilities serve.
“Teams must immediately pull every PLC off the public Internet and isolate them behind a Zero Trust gateway or authenticated VPN. For Rockwell CompactLogix and Micro850 series devices, operators should physically set the controller mode switch to the RUN position to block remote logic changes. Organizations must audit for exposed industrial ports such as 44818 and 2222 and rotate all default credentials across the OT environment. Failing to remove these systems from public view is an open invitation for geopolitical adversaries to use your operational uptime as a diplomatic bargaining chip.
“In short, the cease-fire will not stop our adversaries from attacking the United States’ critical infrastructure, and this will lead to the unavailability of these services, or worse, to incidents that lead to loss of life and limb.
“If your water treatment plant or refinery is searchable on the Internet, you are not running a utility; you are hosting a digital sandbox for the IRGC.”
Denis Calderone, CTO, Suzu Labs:
“When CyberAv3ngers hit Unitronics PLCs back in 2023, it looked like hacktivism. They put political messages on water system displays and moved on. What today’s six-agency advisory describes is different. We warned in March that organizations in energy, water, and government should be actively hunting for pre-positioned access. Today’s advisory confirms that’s exactly what’s been happening, and in some cases has already caused operational disruption and financial loss.
“Today, we’re seeing the threat actors conducting fairly surgical operations, using Studio 5000 Logix Designer, which is Rockwell Automation’s own PLC programming software, to interact with CompactLogix and Micro850 controllers at the file object level. They’re extracting the programming logic that controls physical processes and manipulating data on HMI and SCADA displays. Think about what that means for a water treatment operator or a power plant engineer. If your display is showing you normal pressure, flow, or chemical dosing levels and the actual values are different, you’re making operational decisions based on false data. That’s how equipment damage and safety incidents happen.
“Now, the advisory specifically calls out Rockwell Automation and Allen-Bradley, and that makes sense because Rockwell holds roughly 35 to 40 percent of the US PLC market. But don’t let the Rockwell focus distract you. The indicators of compromise in the advisory include traffic on port 102, which is S7comm, and that’s a Siemens protocol. The advisory itself says ‘potentially other branded PLCs’ are at risk.
“If you’re running Siemens, Schneider, or any other PLC platform and assuming this doesn’t apply to you, look at the port list again: 44818 for EtherNet/IP (Rockwell and others), 102 for S7comm (Siemens), 502 for Modbus (most PLCs). Those protocols are from multiple manufacturers, proving that this is more than just a Rockwell problem.
“The prescriptive advice here is straightforward. PLCs should never be directly accessible from the internet, period. The advisory confirms that the attackers are simply connecting to internet-exposed devices using overseas IP addresses. But internet isolation alone isn’t enough. Controllers and SCADA infrastructure should sit behind properly segmented OT network zones with monitored firewall boundaries between IT and OT environments.
“If you have PLCs on flat networks that IT workstations can reach directly, you have a problem. Modbus TCP has essentially zero security controls built in. That protocol originates from 1979 when these were closed systems. Review logs now for suspicious traffic on ports 44818, 2222, 102, 22, and 502. And if you’re running Rockwell devices, reach out to Rockwell through their existing support channels for specific mitigation guidance tied to this advisory.”
The fact that all these agencies are warning about this should show you how serious this problem is. And to be clear, this is a today problem that requires immediate action. Otherwise really bad things will happen.
Leave a comment »