Iran cyber actors disrupting US water, energy facilities, FBI warns
Summary
US agencies have issued a joint alert saying Iranian-affiliated cyber actors have stepped up intrusions against critical US water and energy facilities. The advisory — from the FBI, CISA, NSA, EPA, Department of Energy and US Cyber Command — says attackers are targeting internet-exposed operational technology (OT) devices: programmable logic controllers (PLCs) made by Rockwell Automation/Allen-Bradley, human-machine interfaces (HMIs) and SCADA displays. Some victims experienced operational disruption and financial loss.
The activity has been observed since March and follows prior incidents in 2023 and 2024 where Iranian-linked groups abused default passwords and deployed custom malware to interfere with OT systems. Security firms report identical targeting in Israel, and analysts say the campaign is broader and faster than before.
Key Points
- US federal agencies warn Iranian-affiliated APT actors are targeting internet-accessible PLCs, HMIs and SCADA systems.
- Victims include water and energy infrastructure; some disruptions and financial losses have been confirmed.
- Targeted devices are often Rockwell Automation/Allen-Bradley PLCs — vendors have published mitigation guidance including disconnecting internet-exposed devices.
- Past intrusions (2023–2024) used default passwords and custom malware to control OT devices; current activity appears faster and broader.
- Defensive recommendations: patch systems, enable multi-factor authentication, remove direct internet exposure for OT, and review logs for suspicious traffic on OT ports (44818, 2222, 102, 502).
- Industry telemetry (Check Point) shows energy and utilities remain heavily targeted; similar campaigns were observed against Israeli PLCs last month.
Context and relevance
This alert arrives amid a regional conflict that has coincided with increased Iranian cyber activity. For organisations running industrial control systems, the advisory underscores a recurring pattern: nation-affiliated actors will exploit internet-exposed OT gear and weak operational hygiene to cause disruption. The joint nature of the alert — multiple US agencies collaborating — signals both the seriousness and the cross-sector risk to water, energy and other critical services.
For security teams and operators, the immediate relevance is practical: ensure PLCs and HMIs are not directly reachable from the internet, follow Rockwell’s mitigation guidance, apply patches, enforce MFA where possible, and hunt for unusual traffic from overseas hosting providers on the OT ports listed above.
Why should I read this
Because if you run, manage or secure infrastructure that keeps water flowing or power on, this is the sort of stuff that keeps you awake. The joint FBI/CISA/NSA advisory shows these actors aren’t just poking around — they’re targeting PLCs and SCADA to cause real disruption. Quick wins: unplug public-facing PLCs, force MFA, patch, and check logs on those OT ports. We’ve saved you the time of parsing the advisory — here’s what to do first.