Federal cybersecurity officials say Iranian-linked hackers have been breaking into the operational technology that controls U.S. drinking water and wastewater systems, manipulating the digital displays that plant operators rely on to monitor water pressure, chemical levels, and flow rates. A joint advisory from CISA, the FBI, the NSA, and the EPA, updated in spring 2026, warns that the campaign has been active since at least March and has caused disruptions at multiple facilities.
The intrusions target a specific class of industrial equipment: programmable logic controllers, or PLCs, manufactured by Unitronics. These devices are widely deployed at small and mid-sized water utilities across the country, often running with factory-default passwords and connected directly to the internet for remote monitoring. According to CISA, the attackers have exploited those weak configurations to access human-machine interface screens, the dashboards operators watch to ensure treatment processes stay within safe parameters.
“The compromise of these PLCs means an operator could be looking at a screen showing normal chlorine levels while actual dosing has shifted,” said a senior CISA official during a briefing with water-sector stakeholders. “That gap between what the screen says and what the system is doing is where the real danger lives.”
Who is behind the attacks
CISA has publicly attributed the campaign to a group known as CyberAv3ngers, which U.S. intelligence agencies have linked to Iran’s Islamic Revolutionary Guard Corps. The group first drew national attention in November 2023 when it compromised a Unitronics PLC at the Municipal Water Authority of Aliquippa, Pennsylvania. In that incident, the attackers defaced the controller’s display with an anti-Israel message but did not alter water treatment operations.
Since then, the group’s tactics have evolved. The updated federal advisory describes intrusions that go beyond defacement into active manipulation of SCADA displays, meaning operators at affected facilities may have seen readings that did not match actual plant conditions. While the agencies have not publicly confirmed that any manipulation led to unsafe water reaching consumers, the advisory’s language makes clear that the disruptions were serious enough to warrant a rare, coordinated warning from four federal agencies.
What the advisory tells utilities to do
The joint advisory lays out specific defensive steps. Utilities should immediately change all default passwords on Unitronics PLCs and any other internet-facing industrial controllers. Systems that do not need remote access should be disconnected from the public internet entirely. Where remote access is necessary, agencies recommend placing controllers behind a virtual private network with multifactor authentication enabled.
Operators are also urged to cross-check digital readings against manual or analog instruments. If a SCADA screen shows stable chlorine residuals but a handheld colorimeter at the same sample point returns a different number, that discrepancy could indicate display tampering. Any anomalies should be reported through CISA’s incident reporting portal or the FBI’s Internet Crime Complaint Center so federal analysts can correlate isolated incidents into a national picture.
Why water utilities are especially vulnerable
The U.S. has roughly 150,000 public water systems, and the vast majority serve fewer than 10,000 people. Many of these small utilities operate with skeleton IT staffs, sometimes a single employee who doubles as both plant operator and network administrator. Budgets for cybersecurity upgrades compete with urgent physical needs like replacing aging pipes and meeting EPA water quality standards.
That resource gap has made the water sector a softer target than industries like finance or energy, where regulatory frameworks and larger budgets have driven more aggressive cybersecurity investment. The EPA has authority to assess cybersecurity practices during sanitary surveys of water systems, but enforcement has been inconsistent. A 2023 effort by the agency to require states to include cybersecurity evaluations in those surveys was withdrawn after legal challenges from state attorneys general and water industry groups.
Without a binding federal cybersecurity mandate for water utilities, compliance remains largely voluntary. CISA and the EPA offer free technical assistance, vulnerability scanning, and on-site assessments, but utilities must opt in. According to water-sector officials who have participated in federal briefings, uptake has increased since the Aliquippa incident but remains uneven, particularly among the smallest systems that are most exposed.
The energy-sector question
The same Unitronics PLCs and similar SCADA components appear in energy, oil, and gas operations, which means the attack techniques CyberAv3ngers used against water systems could transfer to other sectors. Cybersecurity researchers at firms including Dragos and Claroty have documented overlapping equipment across critical infrastructure and have flagged the potential for cross-sector exploitation.
However, the federal advisory focuses specifically on water and wastewater systems. No equivalent multi-agency statement has confirmed Iranian-linked compromises at named energy facilities tied to this particular campaign. CISA has acknowledged in broader threat briefings that Iranian cyber actors probe energy-sector networks, but the agency has not published specific incident details comparable to the water-sector advisory. Readers should treat the energy dimension as a credible concern supported by technical analysis, not yet as a confirmed federal finding on par with the water-sector intrusions.
What happens next
Federal officials say the campaign is ongoing. CISA has scheduled additional classified and unclassified briefings with water-sector stakeholders through June 2026, and the agency is expanding its free vulnerability scanning program to prioritize utilities that use Unitronics equipment. The FBI has opened investigations tied to specific intrusions, though no indictments have been announced.
For the tens of millions of Americans served by small and mid-sized water systems, the practical risk remains low but not zero. The advisory confirms that foreign-linked actors have reached the operational controls of some U.S. water facilities and have manipulated the displays operators depend on. No public evidence indicates that contaminated water reached consumers as a result, but the margin between a manipulated screen and a public health incident is thinner than most people realize. Whether utilities close that gap depends on local budgets, staffing decisions, and a federal regulatory landscape that still treats water-sector cybersecurity as largely optional.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
