In late 2023, hackers linked to Iran’s Islamic Revolutionary Guard Corps broke into the digital controls at a small water authority in Aliquippa, Pennsylvania, compromising a system that monitors water pressure for thousands of residents. The breach was not subtle: the attackers left a digital calling card on the screen of the programmable logic controller, an anti-Israel message. It was also not an isolated event. By June 2026, federal agencies have issued a series of urgent advisories warning that state-sponsored hackers from both Iran and China have already gained footholds inside networks that control drinking water, ports, energy grids, and transportation systems across the United States, and that those footholds may be held in reserve for activation during a future geopolitical crisis.
The warnings, issued jointly by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the NSA, and the Environmental Protection Agency, describe documented intrusions, not theoretical risks. For the more than 148,000 public water systems that serve communities nationwide, and for the transit and port authorities that keep goods and people moving, the federal government is now treating coordinated digital sabotage during an international conflict as a planning baseline rather than a worst case.
What federal agencies have confirmed
Two distinct threat campaigns form the backbone of the federal warnings. The first involves Iranian-affiliated hackers who have targeted U.S. water systems, gaining unauthorized access to operational technology that controls treatment processes. A joint advisory from CISA, the FBI, the NSA, and the EPA, published on an EPA news page, frames these attacks as urgent and ongoing. The Aliquippa breach became the most publicly visible example: Matthew Mottes, chairman of the Municipal Water Authority, told reporters at the time that the compromised device had been taken offline and that there was no impact on water quality, but the incident demonstrated that attackers could reach the industrial controls managing chemical dosing and pressure levels.
The second campaign is broader and more alarming in its stated objective. A separate advisory from CISA, the NSA, and the FBI identifies a Chinese state-sponsored group known as Volt Typhoon that has compromised and maintained persistent access to U.S. critical infrastructure across multiple sectors, including communications, energy, transportation, and water systems. That assessment, labeled advisory AA24-038A, concludes that these actors are pre-positioning for disruptive and destructive cyberattacks “in the event of a major crisis or conflict.” In January 2024, the U.S. Department of Justice confirmed it had disrupted a botnet the People’s Republic of China used to conceal hacking activity targeting critical infrastructure, taking at least some of the masking infrastructure offline.
The severity of the Volt Typhoon threat prompted then-CISA Director Jen Easterly and FBI Director Christopher Wray to testify before Congress in early 2024. Wray told the House Select Committee on the Chinese Communist Party that Volt Typhoon’s targets were “the very things that every American depends on in their daily life,” including water treatment plants, the electrical grid, and transportation systems. Easterly described the group’s activity as preparation for “low blows against civilians” in the event of a conflict in the Taiwan Strait or another flashpoint.
CISA has also published broader strategy documents tying geopolitical crises to the risk of cascading failures across ports, energy grids, water systems, and communications networks. The agency is explicitly urging resilience planning: it wants operators to assume attacks will happen and to build systems that can absorb damage rather than simply trying to prevent every breach. In that framework, cyber intrusions into water utilities or transportation hubs are treated as potential triggers for wider disruption, not just localized IT problems.
What remains uncertain
The federal advisories confirm that intrusions have occurred, but they do not disclose the full number of water utilities or transportation networks that have been compromised. The EPA and CISA describe impacts in aggregate terms. Apart from the Aliquippa case and a handful of other publicly reported incidents, no individual utility has detailed the operational consequences it experienced. This gap makes it difficult to gauge how deeply adversaries have penetrated the systems serving specific communities, or whether certain regions face greater exposure than others.
The Volt Typhoon assessment is similarly broad. While AA24-038A names affected sectors and describes pre-positioning activity, it does not specify which transportation networks or communications providers were breached, nor does it quantify how many organizations remain compromised after remediation efforts. An earlier CISA advisory on threats to water and wastewater systems outlines risks such as loss of monitoring and control, along with potential safety impacts, but relies on aggregated federal summaries rather than incident-level disclosures.
There is also no publicly available data measuring whether the recommended mitigations, such as network segmentation, multifactor authentication, and regular patching, have reduced the rate of successful intrusions across these sectors. Federal agencies have published technical guidance and offered free assessments, but the effectiveness of that guidance at the facility level has not been independently quantified. Without that feedback loop, utilities and transit agencies are investing in defenses whose real-world impact remains undocumented.
The timing dimension carries its own uncertainty. The phrase “in the event of a major crisis or conflict” does not define a specific trigger. Whether pre-positioned access would be activated during a Taiwan Strait confrontation, a sharp escalation in sanctions, or some other geopolitical flashpoint is left open. Intelligence agencies deliberately avoid signaling precise thresholds, but that ambiguity complicates planning for utility operators who need to decide how much to spend and how fast to act.
How to weigh the evidence
The strongest evidence here comes directly from joint federal advisories, which represent consensus assessments across multiple intelligence and law enforcement agencies. When CISA, the FBI, and the NSA jointly state that a threat actor has compromised critical infrastructure, that language reflects vetted intelligence, not speculation. The EPA’s involvement in the water-sector advisory adds regulatory weight, since the agency has enforcement authority over drinking water safety and oversees compliance with health-based standards.
CISA’s broader resilience strategy serves a different function. It is a policy framework rather than an incident report, and its value lies in showing how the federal government connects individual intrusions to systemic risk: the possibility that attacks on water, energy, transportation, and communications could amplify each other during a crisis, creating failures that cascade faster than any single agency can respond.
What the evidence does not yet support is a claim that any attack described in these documents has caused a public health emergency or a prolonged transportation shutdown. The advisories describe access, pre-positioning, and operational disruption at the facility level, but they stop short of documenting large-scale harm to civilians. The gap between “they are inside the systems” and “they have caused widespread damage” is real, and readers should hold that distinction clearly.
It is also worth recognizing the limits of what can be shared publicly. Detailed forensic data, such as which valves were manipulated or which rail control servers were accessed, often remains classified or restricted to industry information-sharing groups. That secrecy frustrates communities that want to know how safe their water or transit systems are, but it reflects a calculation that revealing too much would help adversaries refine their techniques.
What operators and communities should do now
For water utility managers, IT directors at transit agencies, and local officials responsible for emergency planning, the practical takeaway is direct. Federal agencies are telling them to assume that adversaries already have access and to focus on detection, segmentation, and recovery rather than relying solely on perimeter defenses. That means separating business networks from operational technology, enforcing multifactor authentication on remote access, and rehearsing how to run critical processes in a degraded or manual mode if digital controls are compromised.
CISA offers free incident response services and vulnerability scanning through its online portal, and the FBI accepts cyber incident reports through the Internet Crime Complaint Center and local field offices. The first step for any operator who has not yet engaged with these resources is to establish a relationship before a crisis hits, so that contact points and escalation paths are already clear when an intrusion is detected. At the local level, emergency managers can integrate cyber disruption scenarios into tabletop exercises that already cover storms, floods, and power outages, treating digital sabotage as another hazard capable of knocking out water or transportation services.
For the public, the picture requires holding two realities at once. Foreign state-sponsored actors have obtained access to parts of the infrastructure that delivers essential services, and they may be holding that access in reserve for a future crisis. That does not mean taps are unsafe today or that trains are on the verge of being halted by a keystroke. But the Aliquippa breach showed that the threat is not abstract: a foreign government reached into a small-town water system and touched the controls. The federal government is now asking every operator in the country to act as though the same thing could happen to them, at scale, and at the worst possible moment.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
