PLCs left online being hit

A programmable logic controller is the small industrial computer that opens a valve, starts a pump, or stops a conveyor belt when a sensor changes. On April 7, 2026, United States agencies said attackers are reaching those controllers over the public internet and causing real disruptions in oil, gas, and water systems. (cisa.gov) The warning came from the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the Environmental Protection Agency, and the Department of Energy. Their advisory says Iranian-affiliated actors targeted internet-facing devices, including Rockwell Automation Allen-Bradley programmable logic controllers, to disrupt operations and cause financial loss. (cisa.gov) These boxes were never meant to sit on the open internet like a public website. The agencies said the attackers tampered with project files and changed what operators saw on human-machine interface and supervisory control and data acquisition screens, which are the dashboards people use to run plants. (cisa.gov) A human-machine interface is the screen an operator clicks, and a supervisory control and data acquisition system is the software layer that gathers readings and sends commands across a plant. If the screen lies or the controller is changed underneath it, a worker can make the wrong move while thinking the system is normal. (cisa.gov) This is not a brand-new playbook. In December 2023, the same federal agencies warned that Islamic Revolutionary Guard Corps-affiliated actors using the name CyberAv3ngers were compromising Unitronics programmable logic controllers in U.S. water and wastewater systems and leaving political defacement messages on operator screens. (cisa.gov) Federal agencies have been warning for months that the easiest target is often not the pump or the pipe but the remote access path left exposed online. A December 2024 fact sheet from the Environmental Protection Agency and the Cybersecurity and Infrastructure Security Agency said they routinely find internet-exposed human-machine interfaces for water systems through public web-based search platforms. (epa.gov) That is why the April 2026 advisory reads less like a mystery and more like a repeat failure. The agencies told operators to remove operational technology from direct internet exposure, change default passwords, use strong unique credentials, require multifactor authentication for remote access, and segment plant networks from business networks. (cisa.gov) Segmenting a network means putting locked doors between the office side and the machine side. If an attacker gets into email or a remote support account, those barriers can keep the intruder from reaching the controller that actually opens the valve. (cisa.gov) The water sector got its own public warning the same day because small utilities often run older equipment with thin staffing and vendor remote access left on for convenience. The Environmental Protection Agency said the threat is urgent and ongoing and told water systems to review internet-exposed devices immediately. (epa.gov) The uncomfortable part is how little sophistication is required once a controller is hanging out online with weak access controls. In a May 2024 fact sheet, the Cybersecurity and Infrastructure Security Agency said pro-Russia hacktivists were already compromising small-scale industrial systems through internet-exposed software components and default passwords. (cisa.gov) So the story here is not only about Iran or one brand of controller. It is that a device built to move water, fuel, or chemicals can still be found from the public internet in 2026, and when that happens the result is not stolen spreadsheets but pumps stopped, screens falsified, and physical operations knocked offline. (cisa.gov)