Is Your Factory, Water Treatment Plant, or Energy Facility the Next Iranian Cyberattack Target

Nearly 4,000 U.S. Industrial Devices Are Already Exposed — Here's What You Need to Do Now

The warning couldn't be more direct. In April 2026, the FBI, CISA, NSA, the Environmental Protection Agency (EPA), the Department of Energy (DOE), and U.S. Cyber Command jointly issued an urgent advisory: Iranian state-backed hackers are actively targeting internet-exposed industrial control systems across the United States — and they are causing real operational damage right now.
If your organization operates programmable logic controllers (PLCs), SCADA systems, or human-machine interfaces (HMIs) — in manufacturing, water and wastewater, energy, government facilities, or healthcare — this threat is aimed directly at you.

What's Happening: The Iranian PLC Attack Campaign
According to the joint federal advisory, Iranian-affiliated advanced persistent threat (APT) actors have been systematically targeting Rockwell Automation / Allen-Bradley PLC devices since at least March 2026. Their goal is not just espionage — it's disruption. Confirmed impacts on victim organizations already include operational downtime and direct financial losses.
Cybersecurity research firm Censys analyzed the global exposure and found more than 5,200 vulnerable industrial control systems exposed directly to the internet worldwide. Of those, nearly 3,900 — approximately 75% — are located in the United States. The U.S. dominates this exposure because Rockwell Automation holds a commanding market share in North American industrial automation.

The attack methodology involves:

Accessing internet-exposed PLCs that have no firewall, VPN, or authentication barrier between them and the public internet
Manipulating project files within the PLC to alter automation logic
Falsifying data on HMI and SCADA displays, causing operators to act on false readings
Causing physical process disruptions — from incorrect chemical dosing in water systems to shutting down production lines

This isn't a theoretical risk. The same Iranian hacking group — CyberAv3ngers, affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC) — previously compromised at least 75 Unitronics PLC devices between November 2023 and January 2024, with half of those in U.S. Water and Wastewater Systems. More recently, an Iranian-linked group wiped approximately 80,000 devices from the network of a major U.S. medical company. The pattern is clear: these actors are escalating.

A Use Case That Could Be Your Organization
Let's make this real. Imagine a mid-sized municipal water authority in the Southeast United States. They operate a treatment facility that uses Allen-Bradley PLCs to automate chemical dosing — chlorine levels, pH balance, pressure valves. Their IT team manages the corporate network, but the OT environment — the PLCs and SCADA displays — was set up years ago by a controls integrator and has had minimal security changes since.

Because operators and engineers occasionally need to access the system remotely, a remote desktop port was opened directly on the internet for "convenience." No MFA. No VPN. Default authentication keys still in place. Nobody is monitoring OT network traffic.

One afternoon, an Iranian-affiliated APT actor — scanning the internet systematically for exposed Allen-Bradley devices — discovers this facility's PLC. Within hours, they have accessed the project file. They don't make it obvious. Instead, they quietly adjust the upper threshold for chlorine dosing. The HMI display still shows "normal." Operators see nothing alarming.

Weeks later, water quality complaints start coming in. By the time anyone connects the anomaly to the control system, the PLC logic has already been altered twice more. The incident triggers a state investigation, a public notification requirement, potential EPA fines, and an emergency remediation effort costing hundreds of thousands of dollars — not counting the reputational damage to the authority and the public trust crisis that follows.

This is not a hypothetical scenario designed to frighten you. Variations of this exact scenario have already played out in U.S. infrastructure. The 2021 Oldsmar, Florida water treatment attack — where an intruder attempted to raise sodium hydroxide levels to dangerous concentrations via remote access — was a stark early warning. The Iranian campaigns of 2023–2026 represent a far more organized, state-sponsored escalation.
The same vulnerability profile applies to energy co-ops, food and beverage manufacturers, chemical processors, government facilities, and hospitals — any organization where a PLC or SCADA system touches the internet, even indirectly.

Why Most Industrial Organizations Are Still Exposed
The uncomfortable truth is that OT cybersecurity has historically been an afterthought. The reasons are understandable but no longer acceptable:
"Air gap" assumptions are outdated. Many organizations believe their OT networks are isolated. In reality, remote access tools, cloud connectivity, vendor VPNs, and poorly segmented corporate networks have quietly bridged that gap over years of operational convenience.

Legacy systems with no security patchwork. PLCs and SCADA systems often run for 15–20 years. Security updates are infrequent. Default credentials and authentication keys from initial installation are often never changed.

IT/OT responsibility gaps. IT teams don't always have visibility into OT environments, and OT engineers are process experts, not cybersecurity professionals. The result is a blind spot that adversaries are now exploiting at scale.

No 24/7 monitoring on OT networks. Unlike enterprise IT environments, most industrial OT networks have no continuous monitoring for anomalous traffic, unauthorized access, or lateral movement. Attackers can persist for weeks or months undetected.

What Federal Agencies Are Telling You to Do
The joint CISA/FBI/NSA advisory is specific in its recommendations. Every industrial operator should act on these immediately:

Disconnect PLCs from the public-facing internet. If remote access is required, route it through a secure, authenticated gateway — not a direct connection.

Implement MFA for all access to OT networks and remote interfaces.
Change default authentication keys and credentials on all PLC and SCADA devices.
Set physical mode switches to "run" position on controllers when programming or updates are not actively in progress.
Monitor OT network traffic for suspicious activity, especially traffic originating from overseas hosting providers.
Keep PLC firmware updated to the latest available versions.
Disable all unused services and ports on industrial control devices.
Scan logs for the indicators of compromise (IOCs) published in the joint advisory.

These are the right steps. The challenge for most organizations is that they lack the internal expertise, visibility tools, and around-the-clock staffing to actually execute and sustain them.

How InfoSight Helps You Close These Gaps
InfoSight has been protecting critical infrastructure, manufacturing, healthcare, energy, and government organizations for over 25 years. Our services are purpose-built for exactly the threat environment described in this advisory.

OT/ICS Security Assessments
Before you can defend your industrial environment, you need to know exactly what's exposed. InfoSight's Industrial Control System (ICS) and IoT Security Assessments provide a comprehensive inventory and risk analysis of your PLCs, DCS systems, HMIs, and IIoT devices. We uncover misconfigurations, weak network segmentation, legacy exploits, and internet-exposed assets — then deliver a prioritized remediation roadmap aligned to IEC 62443 and NIST SP 800-82 frameworks. You'll know precisely which devices are at risk and exactly what to fix first.

24/7 SOC-as-a-Service with Managed Detection & Response (MDR)
The Iranian APT campaign succeeds largely because nobody is watching the OT network in real time. InfoSight's U.S.-based Security Operations Center monitors your environment around the clock — 24 hours a day, 365 days a year — with analysts who triage, investigate, and respond to threats before they become incidents. Our OT-aware SOC provides:

Continuous monitoring of your industrial and corporate networks from a single pane of glass
Real-time threat detection and alerting on anomalous OT traffic
Rapid incident containment and remediation support
Threat intelligence feeds specifically tracking nation-state OT actors, including Iranian APT groups
Compliance-ready reporting aligned to NERC CIP, NIST, and sector-specific frameworks

We operate a co-managed model that extends your existing IT team rather than replacing it — giving you enterprise-grade security coverage without the cost of building an internal SOC.

Penetration Testing (Including SCADA/ICS)
You can't trust assumptions about your OT security posture. InfoSight's offensive security team simulates real-world attacker techniques against your networks, including SCADA and ICS environments. Our penetration tests identify the exact pathways an Iranian APT actor — or any threat actor — could use to reach your PLCs from the internet. We deliver analyst-prepared findings, not canned scan output, with actionable remediation guidance your team can act on immediately.

Managed EDR & Endpoint Protection
For the IT-side attack surface that connects to your OT environment, InfoSight's Managed EDR solution provides AI-powered endpoint detection that blocks malware, detects zero-day attacks, and monitors suspicious behavior in real time — protecting the workstations, engineering laptops, and servers that have access to your industrial network.

Virtual CISO & Compliance Programs
If your organization lacks dedicated cybersecurity leadership, InfoSight's Virtual CISO program bridges the communication and strategy gap between IT and OT. We help you build and maintain a defensible security posture, meet regulatory requirements (NERC CIP, NIST 800-82, IEC 62443, HIPAA, and others), and demonstrate due diligence to your board, insurers, and regulators.

The Cost of Waiting
Nation-state actors don't wait for convenient timing. The Iranian APT campaign documented in this advisory is active right now. Every day that your PLCs remain internet-exposed, unmonitored, or running default credentials is another day that your organization appears on an attacker's scan results.

The cost of a successful attack — operational downtime, emergency remediation, regulatory fines, public notification requirements, legal liability, and reputational damage — dwarfs the cost of proactive security. One incident can set a mid-sized manufacturer or utility back millions of dollars and months of recovery time.

The question is not whether your organization could be targeted. The question is whether your defenses are mature enough to detect and stop the attack when it comes.

Take Action Today
InfoSight offers a free initial consultation to assess your OT/ICS exposure and discuss how our services can be tailored to your environment and budget. Whether you're in manufacturing, water and wastewater, energy, healthcare, or government — if you operate industrial control systems, we can help.