Officials report Iran cyberattacks targeting power

U.S. officials said on April 7, 2026, that Iran-affiliated hackers have attempted cyberattacks against American critical infrastructure, including power systems, and that some of the activity has already caused disruptions. Federal agencies described the campaign as an urgent threat to sectors that run physical services such as electricity, water, and government facilities. (cisa.gov) The immediate concern is not a stolen password or a frozen office computer. The concern is industrial equipment that opens valves, starts pumps, and helps operators monitor power plants and substations, because those systems sit close to the machinery that keeps electricity flowing. (politico.com) At the center of the warning are programmable logic controllers, which are small industrial computers used to run physical processes. In a power setting, a programmable logic controller can act like the timed switchboard for a factory floor, telling equipment when to turn on, shut off, or change state. (politico.com) Federal agencies said the hackers targeted internet-facing operational technology devices, especially programmable logic controllers made by Rockwell Automation under the Allen-Bradley brand. That matters because Rockwell equipment is widely used across U.S. industrial sites, so one family of exposed devices can create a broad attack surface. (cisa.gov) The agencies said the intrusions were not limited to peeking inside systems. They reported malicious interactions with project files and manipulation of data shown on human-machine interface and supervisory control and data acquisition screens, which are the dashboards operators use to see what equipment is doing. (cisa.gov) That kind of manipulation is dangerous because operators make decisions based on what those screens show. If a display says a pump is normal when it is not, or shows a false alarm, the people running the facility can be pushed into the wrong response at the wrong time. (cisa.gov) The April 7 advisory was issued jointly by the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the National Security Agency, the Department of Energy, the Environmental Protection Agency, U.S. Cyber Command, and the Cyber National Mission Force. When that many agencies sign the same document, it usually means the government sees both a live threat and a need for immediate action by private operators. (cisa.gov) Officials said the attacks resemble the 2023 campaign linked to the Iranian group CyberAv3ngers, which defaced Israeli-made control panels at multiple U.S. water facilities in Pennsylvania. That earlier episode showed that relatively simple access to exposed industrial devices can still create real-world disruption and public alarm. (politico.com) The timing also matters. The federal advisory said Iranian-affiliated targeting of U.S. organizations has recently escalated, likely in response to current hostilities, and outside analysts have warned for days that energy systems would become a more attractive target as tensions rose. (cisa.gov; csis.org) Power infrastructure is a tempting cyber target because it mixes old equipment, remote access tools, and strict uptime requirements. Utilities cannot patch or reboot every controller the way a bank can update office laptops, because many systems are tied to continuous physical operations. (csis.org) The federal guidance focused on a simple weakness with huge consequences: devices connected directly to the public internet. Agencies told organizations to remove programmable logic controllers from direct internet exposure, review logs for suspicious traffic, and pay special attention to industrial ports including 44818, 2222, 102, and 502. (cisa.gov) For Rockwell devices, agencies also recommended placing the controller’s physical mode switch into run position, which helps prevent unauthorized remote logic changes. That is the industrial equivalent of locking the settings panel on a machine so someone outside the building cannot quietly rewrite how it behaves. (cisa.gov) The warning does not say the U.S. grid is collapsing or that a nationwide blackout is underway. It says something more specific and more plausible: Iran-affiliated actors are probing and disrupting exposed industrial systems one site at a time, and power operators are now treating cyber defense as part of basic grid reliability, not just information technology hygiene. (cisa.gov; politico.com)