Iran-Linked Actors Are Disrupting U.S. Water and Energy PLCs: Inside CISA/FBI Advisory AA26-097A (2026)

On April 7, 2026, the FBI, CISA, NSA, EPA, the Department of Energy, and U.S. Cyber Command released joint cybersecurity advisory AA26-097A, warning that Iranian-affiliated advanced-persistent-threat actors are conducting attacks intended to cause disruptive effects against U.S. critical infrastructure. The agencies assess that, since at least March 2026, this activity has disrupted the function of programmable logic controllers (PLCs) deployed across multiple sectors, and that some victims experienced operational disruption and financial loss. The targeted sectors named are Water and Wastewater Systems, the Energy sector, and Government Services and Facilities. Through May 2026, this campaign is the defining operational-technology threat to U.S. critical infrastructure.

The escalation here is the word "disruptive." Iranian-affiliated activity against U.S. infrastructure is not new — the same threat designation, CyberAv3ngers (also tracked as Bauxite by Dragos, Storm-0784 by Microsoft, and IRGC-CEC-linked by the U.S. government), compromised at least 75 Unitronics PLCs at water and wastewater facilities in November 2023, including the Municipal Water Authority of Aliquippa, Pennsylvania. What is different in 2026 is that the agencies report actual operational impact rather than the largely symbolic defacement of the earlier wave. The actors are interacting maliciously with PLC project files and manipulating what operators see on human-machine interface (HMI) and supervisory control and data acquisition (SCADA) displays.

This post walks through what AA26-097A actually says, the device classes and weaknesses in scope, why internet-exposed PLCs remain the soft underbelly of critical infrastructure, and the concrete OT hardening steps that matter most. We are explicit throughout about what the advisory attributes versus what is inferred, because attribution of the current campaign to a specific named group was hedged in the agencies' own framing.

TL;DR

• Joint advisory AA26-097A (April 7, 2026) from FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command warns of Iranian-affiliated actors causing disruptive effects on U.S. critical infrastructure PLCs.
• Activity has been observed since at least March 2026; some victims experienced operational disruption and financial loss. It remains active through May 2026.
• Targeted sectors: Water and Wastewater Systems, Energy, and Government Services and Facilities.
• Primary targeted equipment: internet-exposed PLCs from Rockwell Automation/Allen-Bradley (CompactLogix and Micro850 cited in reporting). Other vendors may also be at risk; the 2023 wave hit Unitronics Vision Series PLCs.
• Reporting links exposure to CVE-2021-22681, a CVSS 10.0 authentication-bypass in Rockwell Logix products that uses a hard-coded/insufficiently-protected cryptographic key and cannot be fixed with a patch — network defense is the only mitigation.
• TTPs include malicious interaction with PLC project files and manipulation of HMI/SCADA displays. Default credentials and direct internet exposure are recurring root enablers.
• Highest-impact action: get PLCs and HMIs off the public internet, behind firewalls, with MFA on all remote access. Reporting cited over 3,000 Rockwell devices exposed to the public internet.

What the advisory says

AA26-097A is a joint product. The authoring and contributing agencies named in reporting are the FBI, CISA, NSA, EPA, the Department of Energy, and U.S. Cyber Command — a lineup that signals both the seriousness and the cross-sector breadth of the concern, since EPA owns water-sector coordination and DOE owns energy-sector coordination.

The core assessment: since at least March 2026, an Iranian-affiliated APT group has disrupted the function of PLCs across multiple U.S. critical-infrastructure sectors, with some victims reporting operational disruption and financial loss. The intent described is disruption — not just access or reconnaissance. The actors are reported to be targeting internet-facing PLCs, maliciously interacting with project files, and manipulating data displayed on HMI and SCADA screens. The advisory provides indicators of compromise in machine-readable formats (XML and JSON) and directs operators to its Mitigations section for urgent action.

On attribution, precision matters. The agencies tie the current campaign to prior CyberAv3ngers activity and the broader IRGC-Cyber Electronic Command nexus, but reporting on AA26-097A noted the agencies did not flatly attribute the 2026 campaign to CyberAv3ngers by name in the main text; the link is to "similar activity previously reported." CyberAv3ngers (aka Shahid Kaveh / Bauxite / Storm-0784 / Hydro Kitten / UNC5691) has operated since at least 2020. We treat the IRGC-affiliated framing as the agencies' assessment and the specific group label as strongly indicated but not flatly confirmed for the 2026 wave.

The device and vulnerability landscape

The targeted equipment, per reporting on the advisory, centers on Rockwell Automation/Allen-Bradley PLCs, with CompactLogix and Micro850 controllers cited specifically. The agencies note other vendors may also be at risk, and the 2023 precursor campaign targeted Unitronics Vision Series PLCs, so this is best understood as a class problem across internet-exposed industrial controllers rather than a single-vendor flaw.

One specific weakness named in reporting is CVE-2021-22681, an authentication-bypass vulnerability in Rockwell's Studio 5000 Logix Designer, RSLogix 5000, and Logix controllers. It carries a CVSS v3 base score of 10.0. The root cause is an insufficiently protected cryptographic key: the software uses a key to verify communication between an engineering station and a Logix controller, and that key can be discovered. With it, an attacker can remotely connect to nearly any affected Logix PLC and upload malicious logic, download information, or install firmware. Critically, Rockwell has stated this issue cannot be mitigated with a patch — the fix is network-based defense, which is exactly why internet exposure is the controlling risk factor.

Reporting tied to the advisory noted over 3,000 Rockwell devices exposed on the public internet. That number is the heart of the problem. A controller that should never be directly reachable from the internet, running a protocol with a recoverable trust key, is a target that requires no novel exploitation — only discovery.

# Illustrative PLC-targeting chain reflecting AA26-097A TTPs (educational, NOT a working exploit)
1. Discovery        -> internet scan for exposed PLC/HMI protocols (e.g. EtherNet/IP, VNC, web UIs)
2. Access           -> default/weak credentials  OR  auth bypass via recoverable key (CVE-2021-22681 class)
3. Foothold         -> connect engineering-station session to the controller
4. Manipulation     -> alter PLC project files / control logic
5. Operator deception-> manipulate HMI / SCADA display values to mask the real process state
6. Disruptive effect-> drive process out of safe/operational band; financial + operational loss

The deception step is what makes the 2026 wave dangerous beyond simple defacement. Manipulating the HMI/SCADA display so the control-room view does not reflect physical reality delays human response, which is precisely how a nuisance intrusion becomes an operational-disruption event.

What detection looks like

PLC and HMI environments are not laptops; the telemetry is different and the baseline is far more static, which works in defenders' favor. Concrete signals:

• Internet-exposure inventory. The first detection is exposure itself. Continuously scan your own external footprint for any reachable PLC, HMI, or engineering-protocol port. An exposed controller is a finding before any IOC.
• Engineering-station session anomalies. Alert on programming/engineering sessions to a PLC from any host that is not the designated engineering workstation, off-hours sessions, and sessions from new or external source addresses.
• PLC project-file and logic changes. Monitor for unexpected program downloads, mode changes (remote/program vs. run), and firmware changes. Many controllers and historians log these; treat any change outside a planned maintenance window as high severity.
• HMI/SCADA value integrity. Cross-check displayed values against independent sensors or historian data where possible. Divergence between the control-room view and ground truth is the signature of the display-manipulation TTP.
• Physical-mode-switch position. For Rockwell controllers, the physical key/mode switch in the RUN position prevents remote program changes; monitor and audit switch positions as a control.
• IOC ingestion. Pull the XML/JSON indicators published with AA26-097A into your OT monitoring and netflow tooling and alert on matches at the IT/OT boundary.

The asset-visibility precondition is the same one that bites every OT environment: you cannot detect manipulation of a controller you did not know was on the network, and you cannot prioritize the right ones without knowing which are internet-reachable.

What to do Monday morning

Ordered by urgency, drawn from the mitigations associated with AA26-097A.

1. Take PLCs and HMIs off the public internet. This is the single most effective action and it neutralizes the 2026 campaign's primary access path. Enumerate every internet-reachable controller and HMI and remove that reachability today; over 3,000 Rockwell devices were reportedly exposed.
2. Put control systems behind a firewall and segment IT from OT. No direct path from the internet or general IT network to engineering protocols. Where remote engineering access is required, route it through a hardened jump host inside a DMZ.
3. Require MFA on all remote access to OT. The advisory's mitigations explicitly call for multifactor authentication. Eliminate shared and default credentials on controllers, HMIs, and engineering stations.
4. Set Rockwell physical mode switches to RUN. Where the platform supports it, the physical switch in RUN blocks remote program changes and is a strong compensating control for the unpatchable CVE-2021-22681 class.
5. Use VPN-only access for required remote operations, and treat the VPN endpoints as in-scope. A VPN is only as trustworthy as the device terminating it; patch and harden those endpoints.
6. Hunt against the AA26-097A IOCs and review logs. Ingest the published indicators, then review engineering-session, mode-change, and project-download logs for the activity window since March 2026.
7. Validate alarms and HMI integrity. Confirm alarms cannot be silently disabled and that operators have an independent way to verify process state, given the display-manipulation TTP.
8. Coordinate with your sector. Water utilities should engage EPA and WaterISAC; energy operators should engage DOE and E-ISAC; everyone should report suspected activity to CISA and the FBI per the advisory.

Why this keeps happening

The structural problem is that operational technology was built for availability and reliability over decades-long lifecycles, in an era when "the network" meant a physically isolated plant LAN. Remote monitoring, vendor support, and cost pressure then connected those systems to the internet without re-architecting their trust model. The result is a large installed base of controllers that authenticate weakly or with recoverable keys, that cannot always be patched, and that were never designed to face an internet adversary.

CVE-2021-22681 is the clean illustration: a CVSS 10.0 flaw that Rockwell has said cannot be fixed with a patch. When the vendor's own guidance is "use network-based defenses," the security of the device is entirely a function of whether you exposed it. The 2023 Unitronics wave taught the same lesson with default credentials. The 2026 campaign is the same root cause — internet exposure plus weak authentication — with a more capable and more disruptive adversary now operating at the other end.

It keeps happening because the people who connect these devices, the people who operate them, and the people responsible for securing them are often three different organizations with three different incentives, and because the asset inventory that would reveal the exposure frequently does not exist.

The structural fix

No security platform "prevents" a state-aligned adversary from probing internet-exposed PLCs, and the honest framing for OT is that the decisive controls are architectural: segmentation, removing internet exposure, MFA, and physical mode switches. What tooling can do is shorten the time to find the exposure and shrink the blast radius once an adversary is active.

For organizations running IT/OT estates, Safeguard's cloud and infrastructure security posture and drift-detection capabilities help by surfacing exposure and configuration drift — including newly internet-reachable assets — before an adversary's scan does. Policy-as-code lets you encode the non-negotiables (no internet-reachable controllers, MFA required for remote OT access, segmentation enforced) as continuous gates rather than annual audit findings. And incident response workflows turn the AA26-097A IOC set into a scoped hunt instead of a manual scramble. The architectural fixes remain primary; the platform's role is to make the exposure visible and keep it from quietly returning.

What we know we don't know

• The exact group attribution for the 2026 wave. The agencies tie it to prior CyberAv3ngers/IRGC activity but reporting noted the current campaign was not flatly attributed to the named group in the advisory's main text.
• The named victims and specific facilities. The advisory references operational disruption and financial loss at "some victims" without naming them as of the April 2026 publication.
• The full vendor scope. Rockwell/Allen-Bradley (CompactLogix, Micro850) is cited, with "other vendors may also be at risk." The precise list of affected device families in the 2026 wave is not exhaustively public.
• The precise initial-access mix. Reporting links CVE-2021-22681 and default credentials and internet exposure; the proportion of intrusions using the auth-bypass versus weak/default credentials is not quantified.
• The current operational status. The campaign was active as of the advisory and through May 2026 reporting; the degree to which it has been contained at affected sites is not fully public.

References

• CISA, "Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure," advisory AA26-097A: https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a
• FBI/IC3 joint advisory PDF (April 7, 2026): https://www.ic3.gov/CSA/2026/260407.pdf
• SecurityWeek, "Iran-Linked Hackers Disrupt US Critical Infrastructure via PLC Attacks": https://www.securityweek.com/iran-linked-hackers-disrupt-us-critical-infrastructure-via-plc-attacks/
• Cybersecurity Dive, "Iran-linked hackers target water, energy in US, FBI and CISA warn": https://www.cybersecuritydive.com/news/iran-linked-hackers-targeting-water-energy-in-us-fbi-and-cisa-warn/816949/
• Tenable, "CyberAv3ngers: FAQ About the IRGC-Linked Group Targeting Critical Infrastructure": https://www.tenable.com/blog/what-to-know-about-cyberav3ngers-the-irgc-linked-group-targeting-critical-infrastructure
• CISA, ICS advisory ICSA-21-056-03, Rockwell Automation Logix Controllers (CVE-2021-22681): https://www.cisa.gov/news-events/ics-advisories/icsa-21-056-03
• NVD, CVE-2021-22681 detail: https://nvd.nist.gov/vuln/detail/CVE-2021-22681

Internal Safeguard resources:

• Cloud and infrastructure security posture
• Drift detection
• Policy-as-code
• Incident response
• CISO resources