In late 2023, hackers tied to Iran’s Islamic Revolutionary Guard Corps broke into programmable logic controllers at American water utilities using a technique that required no special tools and no insider access. They simply tried the factory-default passwords that shipped with the devices. It worked. Now, more than two years later, federal officials say the underlying vulnerabilities remain widespread, and the same class of attack could reach far beyond water systems into the electrical grid, manufacturing, and other sectors where PLCs govern physical machinery.
A series of joint advisories from CISA, the EPA, the FBI, and the NSA has laid out the threat in unusually direct terms. The agencies identified the attackers as “CyberAv3ngers,” a persona linked to the IRGC, and confirmed that the group had compromised Unitronics-brand PLCs at multiple U.S. water and wastewater facilities. As of mid-2026, the federal government continues to treat this campaign as an active and evolving threat to critical infrastructure, with CISA advisory AA26-097A extending the technical guidance and indicators of compromise first published in December 2023.
What the federal advisories actually confirm
On December 1, 2023, CISA and its partner agencies released a joint advisory confirming that IRGC-affiliated actors had exploited Unitronics PLCs, an Israeli-made line of industrial controllers deployed across U.S. water and wastewater systems. The attackers found devices connected directly to the public internet with factory-default credentials still active. No zero-day exploit was needed. No sophisticated malware was deployed. The front door was unlocked, and the attackers walked in.
A broader advisory from the EPA, FBI, CISA, and NSA followed, warning all U.S. water systems that operational disruptions had already occurred in industrial control environments. The EPA’s announcement included on-the-record statements from the agency’s Assistant Administrator for Water and its enforcement leadership, framing the intrusions not only as cybersecurity incidents but as potential violations of environmental and public health regulations. That language was deliberate: it put utility operators on notice that failing to secure PLCs could carry regulatory consequences, not just operational ones.
CISA’s subsequent advisory, AA26-097A, expanded the technical picture with updated indicators of compromise and mitigation guidance. Taken together, the three documents describe a consistent pattern: state-backed actors affiliated with the IRGC are scanning the internet for exposed PLCs, testing default credentials, and gaining access to devices that directly control physical processes. The technique is basic. The implications are not.
Why default passwords on PLCs are so dangerous
Programmable logic controllers are not office computers. They are the devices that open valves, start pumps, dose chemicals, and trip circuit breakers. When an attacker compromises a PLC, the gap between a digital intrusion and a physical consequence is measured in milliseconds. A manipulated controller at a water treatment plant could alter chlorine levels. At an electrical substation, it could open breakers and cut power. Even if attackers stop short of destructive action, forcing operators to shut down automated systems and switch to manual control can disrupt service for hours or days and impose significant costs.
CyberAv3ngers did not need to develop custom exploits to reach these devices. Unitronics PLCs, like many industrial controllers, ship with well-documented default usernames and passwords listed in publicly available manuals. When operators never change those credentials and leave the devices reachable from the open internet, they create an attack surface that requires no skill to exploit. The advisories describe this as the primary vector, and it is one that basic security hygiene would eliminate.
The recommended fixes are straightforward: segment operational technology networks from corporate IT and the public internet, disable unnecessary remote access, enforce multi-factor authentication on administrative interfaces, and change factory credentials during initial setup. These are not cutting-edge defenses. They are baseline practices that many utilities, particularly smaller ones with limited IT budgets, have not consistently implemented.
The EPA directed water utilities to use existing enforcement channels to report cyber-related violations affecting environmental compliance. The FBI urged victims to file through its Internet Crime Complaint Center, and CISA pointed operators to its own incident reporting portal. The explicit push to formalize reporting suggests federal agencies expect the problem to grow and are building the data infrastructure to track it.
The gap between the headline claim and the evidence
The assertion that PLCs “run 80% of grid endpoints” does not appear in any CISA, EPA, or NSA advisory reviewed for this article. PLCs are unquestionably widespread in electricity generation and distribution, but the specific 80% figure traces to secondary industry analyses and vendor estimates rather than government data. It is best understood as a rough approximation of PLC prevalence across industrial control environments, not a precise federal statistic.
More importantly, no federal advisory reviewed here describes a confirmed, successful CyberAv3ngers attack against a U.S. power plant. The documented compromises targeted water and wastewater systems. The risk to the electrical grid is inferred from the fact that the same types of controllers, including Unitronics models, are used across multiple critical infrastructure sectors. That inference is reasonable, but it is not the same as a confirmed incident. Power plants and large grid operators typically maintain more segmented network architectures and more mature monitoring than small municipal water systems, though the degree of that advantage varies widely.
The scope of the confirmed compromises also remains unclear. Federal agencies have not publicly disclosed how many utilities were affected, how long attackers maintained access, or whether any intrusion caused lasting physical damage. Public statements reference “compromises” and “disruptions” without quantifying them. Classified annexes may contain those details, but the open record leaves significant gaps.
Attribution to the IRGC, while stated with high confidence by four agencies, has not been accompanied by indictments, sanctions designations, or other legal actions that would put additional evidence into the public record. The CyberAv3ngers label comes from intelligence assessments and technical analysis, which carry institutional weight but are not subject to the adversarial testing of a courtroom. That does not make the attribution unreliable. It means the full evidentiary basis is not visible to outside observers.
What has changed since the first warnings
Since the initial advisories in late 2023, the federal posture toward industrial control system security has shifted. CISA has continued to update its guidance, and the EPA has signaled that cybersecurity failures at water utilities may be treated as compliance violations under existing Safe Drinking Water Act authorities. Congressional attention to PLC security has increased, though no major new legislation specifically targeting industrial controller hardening had been enacted as of early 2026.
On the vendor side, Unitronics and other PLC manufacturers have faced growing pressure to eliminate default credentials from shipping configurations, a change that some newer firmware versions have begun to address. But the installed base of older controllers with unchanged passwords remains enormous, and replacing or reconfiguring legacy devices is expensive and operationally disruptive for utilities that run around the clock.
Meanwhile, threat intelligence firms tracking CyberAv3ngers and related IRGC-linked groups have reported continued scanning activity against internet-exposed industrial devices. The group has not disappeared. The attack surface has not meaningfully shrunk. And the basic technique that worked in 2023, trying default passwords on internet-facing PLCs, still works wherever operators have not taken the steps the advisories recommended.
How to read the risk without overstating it
The strongest evidence in this case comes from the joint advisories themselves. When four federal agencies with distinct missions (environmental regulation, criminal investigation, network defense, and signals intelligence) agree on attribution and threat characterization, the institutional bar for that consensus is high. These are not speculative threat briefings. They describe observed activity against real systems and provide concrete steps for operators to follow.
But secondary coverage has, in some cases, extended the findings beyond what the documents support. Claims about nationwide blackout scenarios reflect plausible worst-case modeling, not documented outcomes of CyberAv3ngers activity. Sweeping statements that “the grid has already been penetrated” blur the line between confirmed compromises of specific PLCs at water utilities and broader, systemic control over energy networks. The distinction matters for anyone trying to gauge actual risk rather than hypothetical fear.
Two conclusions hold up under scrutiny. First, the threat is real and ongoing: IRGC-linked actors have demonstrated both the intent and the capability to interfere with operational technology in U.S. critical infrastructure, and they continue to probe for weaknesses. Second, the most effective defenses are not exotic. Reducing internet exposure, enforcing strong authentication, and maintaining basic configuration discipline on PLCs would neutralize the specific tactics these advisories describe.
For utilities, the lesson is blunt: even a small system with a limited budget becomes a geopolitical target the moment it leaves essential equipment exposed online with a factory password. For the public, the picture is more nuanced than either panic or complacency. The country’s critical infrastructure is neither collapsing nor fully secured. What happens next depends on whether operators close the basic gaps that attackers have already shown they know how to find.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
