Six US agencies issued a joint advisory this week. FBI. CISA. NSA. Environmental Protection Agency. Department of Energy. US Cyber Command. That is an unusual coalition, and it is unusual for a reason: Iranian-linked hackers are actively manipulating industrial control systems inside American water utilities, energy facilities, and government buildings.
Not scanning them. Not exfiltrating data from them. Physically manipulating operational controls.
What Is Actually Happening
The activity, attributed to Iranian-linked threat actors, targets internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers, specifically CompactLogix and Micro850 models. These are the devices that actually run things: pump speeds in water treatment plants, valve positions, HMI displays showing operators what their systems are doing.
The attackers used leased, third-party infrastructure running Rockwell's own Studio 5000 Logix Designer configuration software to establish connections to victim PLCs. They then deployed Dropbear SSH on victim endpoints for persistent remote access and used it to extract PLC project files and tamper with data on HMI and SCADA displays. When a water plant operator looks at a screen showing normal chlorine levels, and that screen has been tampered with, the problem is not the screen. The problem is what happens next.
Multiple US critical infrastructure sectors have been hit: government services and facilities, water and wastewater systems, and energy. Financial losses and operational disruptions have been recorded since at least March 2026.
The Exposure Problem Is Not New and That Is the Frustrating Part
After the advisory dropped, Censys scanned for internet-exposed Rockwell Automation and Allen-Bradley PLC hosts. They found 5,219. Nearly 3,900 are in the United States.
Three thousand nine hundred industrial control systems, directly reachable from the public internet.
I have worked with organizations that will spend three months debating the procurement process for a next-gen firewall and still have SCADA systems reachable on default credentials because "that network has always been that way." That is the culture this attack is exploiting. It is not zero-days. It is not sophisticated lateral movement through a zero-trust architecture. It is walking through an open door.
The OT security community has been screaming about internet-exposed PLCs for a decade. This is what it looks like when nobody listened long enough.
Why Iran and Why Now
Iran has maintained a persistent interest in attacking US critical infrastructure, particularly water and energy systems. In late 2023, the IRGC-affiliated group Cyber Av3ngers (also tracked as Hydro Kitten and Shahid Kaveh Group) compromised at least 75 Unitronics PLC devices at the Municipal Water Authority of Aliquippa in Pennsylvania. The US subsequently sanctioned Iranian military hackers specifically for attacks on water facilities. This 2026 campaign is the same threat model at larger scale. The motivation is partly retaliatory, partly demonstrative: the ability to disrupt physical infrastructure has geopolitical value even if you never fully use it.
The current wave ties into elevated Iran-US tensions. When nation-states want to signal capability without triggering a kinetic response, OT disruption sits in a useful gray zone. Manipulating a water plant display is alarming, defensible as "just reconnaissance," and extremely difficult to attribute cleanly.
This is not the same as ransomware. Ransomware actors want money. This is more like someone learning the layout of your house while occasionally moving your furniture. It is designed to create uncertainty.
What to Do About It Right Now
The advisory is specific, which is useful. Immediate priorities:
Take every Rockwell Automation and Allen-Bradley PLC off the public internet. If there is a business justification for remote access, that justification needs to go through a VPN with MFA, not a direct TCP connection.
Audit your HMI authentication. Default and weak credentials are endemic in OT environments, and the advisory's remediation guidance specifically calls for MFA and disabling any unused authentication features.
Check your monitoring. If you have no baseline for what normal PLC communications look like, you have no way to detect manipulation. OT-specific network visibility tools are not optional anymore.
Assume your maintenance vendor has access. A lot of these internet-exposed devices were opened up so a vendor could "just check something quickly." That vendor's laptop is in scope. Their credentials are in scope.
The Broader Context
This advisory comes in the same week that the FBI published its annual cybercrime report: $20.9 billion in losses in 2025, up 26% year over year. Security researchers published new findings on North Korean supply chain operations, with over 1,700 malicious packages deployed across npm, PyPI, Go, and Rust simultaneously. The threat landscape in April 2026 is not subtle.
The OT piece is the one that worries me most. Ransomware is painful and expensive. Someone with the ability to physically disrupt water treatment across multiple US cities is operating in a different threat category entirely. The gap between "they are doing this" and "it becomes a serious public safety event" is narrower than the advisory language suggests.
The joint advisory from six agencies is a rare thing. When the EPA and DOE join the FBI and CISA on the same document, that is a signal worth taking seriously.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want the uncomfortable conversation before the incident report.