US agencies warn water sector of active Iranian cyberattacks

US agencies warn water sector of active Iranian cyberattacks

Smart Water Magazine
Smart Water Magazine - The online media resource specialized in water and wastewater industry.

The US Environmental Protection Agency (EPA), FBI, CISA, NSA, Department of Energy, and US Cyber Command published a joint advisory, confirming that Iranian-affiliated advanced persistent threat (APT) actors are actively exploiting internet-connected operational technology (OT) devices, with water and wastewater systems explicitly identified as a primary target.

The attacks focus on programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley. Confirmed since at least March 2026, intrusions have led to configuration wiping, sensor tampering, and disruption of the control displays that operators rely on to monitor their systems — in some cases resulting in operational disruption and financial loss.

The method is particularly concerning: attackers access exposed PLCs using legitimate programming software, effectively blending in as authorised users. Once inside, they can alter what operators see on their screens, potentially misleading staff about the actual state of treatment or distribution processes.

The agencies link the activity to Iranian-affiliated APT actors previously associated with CyberAv3ngers, a group affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC) that carried out a similar campaign against US water infrastructure in 2023. The advisory notes that attacks have likely escalated in response to heightened tensions between Iran, the United States, and Israel.

"Cyberattacks on drinking water and wastewater systems directly threaten public health and community resilience," said EPA Assistant Administrator Jeffrey A. Hall. "A single breach can disrupt treatment or introduce contaminants, damage equipment, and erode public trust."

Utilities are urged to act immediately: the most critical step is removing PLCs from direct internet exposure and routing any remote access through a secure gateway. Organisations should also check logs for suspicious traffic on OT-associated ports, implement multifactor authentication, and maintain offline backups of PLC configurations.

The EPA emphasises that cybersecurity improvements often entail procedural changes rather than hardware-based, making them achievable even for utilities with limited resources. Free assessments and technical assistance are available at www.epa.gov/cyberwater.

Back to blog

Leave a comment

Please note, comments need to be approved before they are published.

Related Posts