Grid operators warned about Iran‑linked activity

The warning was not about stolen email or a defaced website. On April 7, 2026, six U.S. agencies said Iran-affiliated hackers had already disrupted programmable logic controllers inside U.S. critical infrastructure, including the energy sector, and caused operational disruption and financial loss. (cisa.gov) A programmable logic controller is the small industrial computer that tells a pump when to start, a breaker when to open, or a valve when to close. If someone tampers with that box, the problem can jump from a screen in a control room to a physical process in the field. (cisa.gov) The government said the attackers were going after internet-facing operational technology, which means equipment meant to run machines was reachable from the public internet. That is the industrial equivalent of leaving a substation control cabinet unlocked on a sidewalk. (cisa.gov) The main devices named in the advisory were Rockwell Automation and Allen-Bradley controllers. The agencies also warned that other brands could be at risk, which means the problem is not one vendor so much as the habit of exposing control gear to the open internet. (cisa.gov; cybersecuritydive.com) The attacks did not rely on some cinematic new weapon. Federal officials said the hackers used malicious interactions with project files and manipulated what operators saw on human machine interface and supervisory control and data acquisition screens, which are the dashboards engineers use to watch and steer industrial equipment. (cisa.gov; cybersecuritydive.com) That matters because a false reading on a control screen can be as dangerous as a broken sensor. If an operator sees normal pressure or flow on the screen while the underlying controller has been changed, the delay in spotting the problem can be the whole attack. (cisa.gov) This warning landed in the middle of a broader spike in concern about Iranian cyber activity tied to the current conflict. CISA said Iranian-affiliated advanced persistent threat campaigns against U.S. organizations had recently escalated, and the North American Electric Reliability Corporation said it was actively monitoring the grid with the Department of Energy and the Electricity Subsector Coordinating Council. (utilitydive.com) For grid operators, the practical advice was blunt. The April 7 advisory told organizations to remove controllers from direct internet exposure, check logs for suspicious traffic on industrial ports including 44818, 2222, 102, and 502, and hunt for signs of current or past compromise. (cisa.gov) The same advisory told defenders to tighten remote access, and reporting on the alert said agencies specifically urged multifactor authentication and physical-mode switches on affected Rockwell devices set to “run.” In plain English, that means making remote entry harder and making casual remote reprogramming harder too. (cybersecuritydive.com) One reason this keeps happening is that the exposure is not theoretical. Cybersecurity Dive reported that more than 3,000 Rockwell devices were still visible on the public internet this week, which gives attackers a ready-made list of doors to jiggle. (cybersecuritydive.com) The thread running through all of this is simple: the weak point is often not the power plant turbine or the transmission line, but the forgotten remote connection into the system that controls them. When the government says the attacks already caused disruption, that is a notice to treat industrial network cleanup as this week’s maintenance work, not next quarter’s policy memo. (cisa.gov; utilitydive.com)