Iranian actors hitting OT gear

# Iranian actors hitting OT gear Federal agencies warned on April 7, 2026 that Iranian-affiliated hackers are actively targeting the industrial controllers that run physical equipment in U.S. energy, water, and government facilities. The alert says the activity is already causing operational disruption and financial loss, which means this is no longer a story about stolen files or office networks alone. (cisa.gov) The devices at the center of the warning are programmable logic controllers, which are small industrial computers that tell pumps, valves, motors, and other machines what to do. In a water plant, a programmable logic controller may open a valve at a set pressure; in an energy facility, it may start or stop equipment based on sensor readings. (politico.com) That is what makes operational technology different from ordinary information technology. A breach of an email server can expose messages, but a breach of operational technology can change a physical process, interrupt service, damage equipment, or create safety risks for the people who depend on that service. (epa.gov) The advisory, published by the Cybersecurity and Infrastructure Security Agency with the Federal Bureau of Investigation, National Security Agency, U.S. Cyber Command, Department of Energy, Environmental Protection Agency, and Cyber National Mission Force, says the attackers are exploiting internet-facing operational technology devices. In plain terms, some of the systems that should sit deep inside industrial networks are reachable from the public internet, and that gives remote attackers a direct path to machinery. (cisa.gov) The warning specifically names programmable logic controllers made by Rockwell Automation under the Allen-Bradley brand as actively exploited, while adding that controllers from other vendors may also be targeted. That matters because Rockwell equipment is widely used across U.S. industrial environments, so a flaw or exposed configuration in one common product family can ripple across many operators at once. (cisa.gov) According to the federal alert, the attackers are not just scanning systems or collecting passwords. Agencies say they have maliciously interacted with project files and manipulated data shown on human-machine interface and supervisory control and data acquisition displays, which are the screens operators use to watch and control industrial processes. (cisa.gov) That detail is important because operators trust those screens the way a driver trusts a dashboard. If an attacker changes what the screen shows, a technician may believe a tank is at one level when it is actually at another, or think a device is running normally when its settings have already been changed. (cisa.gov) The Environmental Protection Agency said drinking water and wastewater systems are among the affected sectors, and it tied the threat directly to public health. Its April 7 statement warned that a single breach can disrupt treatment, damage equipment, or in the worst case introduce contaminants, which is why a cyber incident at a utility can quickly become a community emergency. (epa.gov) The government also says this activity resembles the pattern seen in 2023, when the Iran-linked group CyberAv3ngers targeted water facilities in Pennsylvania by defacing Israeli-made control panels. Politico reported that the new advisory does not publicly name the current group, but officials said the campaign bears similarities to those earlier Iran-aligned disruptive operations. (politico.com) The timing is part of the warning too. The advisory says Iranian-affiliated targeting of U.S. organizations has recently escalated, likely in response to hostilities involving Iran, the United States, and Israel, which suggests federal agencies see the campaign as tied not just to opportunistic hacking but to a broader geopolitical moment. (politico.com) For defenders, the most immediate instruction is simple: get these controllers off the public internet. The advisory tells organizations to remove programmable logic controllers from direct internet exposure by using secure gateways and firewalls, because the easiest industrial system to attack is the one that can be reached directly from anywhere in the world. (cisa.gov) The agencies also gave defenders specific places to look for evidence. They recommended searching logs for indicators of compromise and reviewing suspicious traffic tied to ports 44818, 2222, 102, and 502, especially when that traffic comes from overseas hosting providers. (cisa.gov) For organizations using Rockwell controllers, the advisory adds a very physical mitigation: place the controller’s mode switch into run position. That step matters because it can limit unauthorized remote changes, which is a reminder that incident response in industrial environments often involves hardware states and plant-floor procedures, not just software patches and password resets. (cisa.gov) This is the shift the advisory forces on operators and executives alike. A ransomware playbook built around restoring laptops and resetting accounts is not enough when the target is a controller that can wipe configurations, tamper with sensor logic, or mislead an operator screen; now the job includes preserving logs, checking process integrity, validating field readings, and preparing for service continuity if equipment has to be isolated. (cisa.gov) In other words, the federal warning is about much more than another nation-state intrusion notice. It is a sign that industrial cyber risk in 2026 is sitting closer to the machinery itself, where a remote compromise can become a pump outage, a water treatment problem, or a costly shutdown in the energy sector. (cisa.gov)