A joint advisory published on 7 April 2026 by the Cybersecurity and Infrastructure Security Agency, the FBI, the National Security Agency, and the Department of Energy describes an active campaign by Iranian-affiliated threat actors targeting internet-exposed programmable logic controllers (PLCs) across multiple US critical infrastructure sectors. Disruptions to operational technology (OT) systems โ including water utilities, energy providers, and local government facilities โ have been confirmed by affected organisations.
What Is Being Targeted
The advisory (AA26-097A) identifies a pattern of exploitation focused on PLCs and human-machine interfaces (HMIs) that are directly reachable from the internet. The threat actors are not exploiting novel software vulnerabilities; instead, they are abusing weak or default authentication on devices that should never have been publicly accessible in the first place.
Once access is gained, operators have documented attackers wiping device configurations, manipulating data displayed on HMI and SCADA consoles, and interfering with software-based mechanical sensor readings. In several incidents this caused operational disruptions and financial losses, as physical processes reliant on accurate sensor data were interrupted or halted entirely.
Who Is Behind the Campaign
The FBI attributes the campaign to an Iranian-affiliated advanced persistent threat group whose activities have escalated markedly since early March 2026. The timing aligns with a broader deterioration in US-Iran-Israel relations, and the advisory characterises the targeting as likely retaliatory in nature. The group has demonstrated a preference for water and wastewater utilities, energy sector operators, and municipal government facilities โ all sectors that carry high disruption value relative to the technical effort required for exploitation.
The National Energy Reliability Corporation (NERC) separately confirmed it is actively monitoring the electricity grid for related activity.
Why OT Devices Are So Vulnerable
PLC and HMI devices designed for operational environments were typically built for reliability and deterministic behaviour, not security. Many were deployed before remote access was common and now sit on internet-facing connections added later for convenience. A significant proportion carry default vendor credentials that have never been changed, and firmware update cycles in OT environments are measured in years, not weeks.
The attack chain documented in AA26-097A requires no sophisticated exploit โ only a network path and valid credentials. This makes the barrier to entry exceptionally low for a nation-state actor willing to invest in credential harvesting or systematic default-password testing at scale.
Recommended Actions
Immediate priorities for water, energy, and local government OT operators:
- Audit internet connectivity of all PLC and HMI devices. If a device does not need to be internet-reachable, remove that access now. Where remote monitoring is genuinely required, enforce connectivity through a firewall or data diode.
- Change all default credentials on every field device without exception. Treat any device with known default credentials as already compromised until rotation is complete.
- Enable available logging and forward to a SIEM. Export authentication events, configuration change records, and alarm state changes.
- Verify current configuration integrity. Compare live device configurations against documented baselines. Unexplained drift โ particularly recently introduced changes โ should be treated as a potential indicator of compromise.
- Isolate at-risk devices behind a DMZ or dedicated OT jump host. Remote access must never traverse directly from the internet to a PLC or HMI.
- Review CISA advisory AA26-097A for the full indicator-of-compromise list and sector-specific mitigations, including details specific to water/wastewater, energy, and local government environments.
NERC has issued heightened monitoring guidance for electricity sector entities. The most effective single action any OT operator can take today is to remove direct internet access from every device that controls a physical process.