The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the FBI, has issued an urgent joint advisory warning of an active campaign by Iranian-affiliated advanced persistent threat actors targeting Programmable Logic Controllers (PLCs) embedded within U.S. critical infrastructure. Designated AA26-097A, the advisory describes a deliberate effort to disrupt the function of industrial control systems across sectors including water and wastewater, energy, and manufacturing, with activity traced back to at least March 2026.
What are PLCs and Why Do They Matter?
Programmable Logic Controllers are specialized industrial computers used to automate physical processes in critical infrastructure environments. They control everything from water treatment chemical dosing and pump operations to power grid switching and manufacturing assembly lines. Unlike traditional IT systems, PLCs interact directly with the physical world — meaning a successful cyberattack on a PLC can have immediate, tangible consequences for public safety, utility operations, and industrial production.
Internet-exposed PLCs represent a particularly dangerous attack surface because they often run outdated firmware, lack strong authentication mechanisms, and were originally designed for isolated networks rather than the internet-connected environments in which many now operate. This makes them attractive targets for threat actors seeking to achieve disruptive effects with relatively modest technical resources.
Details of the Iranian-Affiliated Campaign
According to CISA advisory AA26-097A, the Iranian-affiliated APT actors have been systematically scanning for and targeting internet-exposed PLCs since at least March 2026. The FBI assesses that the group’s primary intent is to cause operational disruptions to U.S. critical infrastructure organizations rather than to conduct espionage or data theft. Key characteristics of the campaign include:
- Systematic scanning of internet-connected ICS/SCADA systems using widely available industrial network discovery tools
- Targeting of PLCs from multiple vendors that are exposed directly to the internet without VPN protection or network segmentation
- Attempts to modify PLC logic and setpoints to cause operational anomalies or process shutdowns
- Activity observed across multiple critical infrastructure sectors, with water and wastewater facilities among the most frequently targeted
This campaign follows a pattern of Iranian cyber actors targeting U.S. water infrastructure that dates back to 2023, when Iranian-affiliated group CyberAv3ngers attacked Unitronics PLCs at water utilities in Pennsylvania and other states. The current campaign suggests an acceleration and broadening of this operational focus.
Affected Sectors
While the advisory covers critical infrastructure broadly, CISA has highlighted the following sectors as facing elevated risk:
- Water and Wastewater Systems: Treatment facilities and distribution networks operating internet-connected PLCs for chemical control and pump management
- Energy Sector: Electrical substations and generation facilities with exposed automation systems
- Manufacturing: Industrial facilities using internet-accessible PLCs for production line automation
- Transportation Infrastructure: Traffic management and rail signaling systems with remote monitoring capabilities
CISA Recommended Mitigations
CISA and the FBI have outlined a comprehensive set of mitigations that critical infrastructure operators should implement immediately to reduce their exposure to this threat:
- Disconnect PLCs from direct internet exposure: PLCs should never be directly accessible from the public internet. Where remote access is required, it must be routed through a VPN with strong authentication.
- Implement multi-factor authentication (MFA): All remote access to industrial control systems should require MFA to prevent credential-based intrusions.
- Change default credentials: Many PLCs ship with manufacturer default usernames and passwords that must be changed before deployment.
- Apply firmware updates: Keep PLC firmware and HMI software current to address known vulnerabilities.
- Monitor for anomalous behavior: Deploy OT-specific monitoring tools capable of detecting unauthorized PLC logic modifications or unusual setpoint changes.
- Segment OT networks: Implement strict network segmentation between operational technology (OT) and information technology (IT) environments to limit lateral movement.
Broader Context: Iran’s Escalating Cyber Offensive
This advisory arrives amid a notable escalation in Iranian cyber operations against Western targets in 2026. The PRISMEX-adjacent timing — with Iranian-affiliated actors conducting disruptive ICS attacks while pro-Iranian hacktivist groups simultaneously claim massive defense contractor breaches — suggests a coordinated, multi-domain offensive posture from Tehran-linked cyber actors operating across multiple mission sets simultaneously.
Critical infrastructure operators, particularly those in the water and energy sectors, should treat advisory AA26-097A as an immediate operational priority. The combination of low technical barriers to PLC exploitation and high potential for public safety impact makes this threat category one of the most serious facing U.S. infrastructure defenders today.
Organizations that have identified suspicious activity consistent with this advisory are urged to report incidents to CISA via the agency’s 24/7 reporting line at (888) 282-0870 or at https://www.cisa.gov/report.