In late 2023, operators at the Municipal Water Authority of Aliquippa, Pennsylvania, discovered that hackers linked to Iran’s Islamic Revolutionary Guard Corps had broken into a programmable logic controller governing part of their water system. The device’s password was “1111” – the factory default. By May 2026, federal agencies say the campaign that breached Aliquippa has not stopped. A joint advisory from the EPA, FBI, CISA, and NSA warns that Iranian-affiliated hackers continue to target U.S. drinking water and wastewater systems by exploiting Unitronics PLCs, the industrial controllers that regulate pressure, chemical dosing, and flow at thousands of treatment plants nationwide.
PLCs are the workhorses of industrial automation. According to a 2024 Dragos Inc. analysis of operational technology environments, programmable logic controllers account for roughly 80% of the endpoints managing processes across water, energy, and manufacturing sectors. Unitronics, an Israeli-made brand, holds a significant share of that installed base in U.S. water utilities, particularly among small and midsize systems that adopted the controllers for their low cost and ease of deployment. That ubiquity is now a liability.
What is verified so far
The federal government’s case rests on three primary documents. Advisory AA23-335A, published by CISA, directly attributes the exploitation of Unitronics PLCs to IRGC-affiliated cyber actors operating under the name CyberAv3ngers. The technical advisory covers multiple sectors but singles out U.S. water and wastewater facilities as confirmed targets. Federal officials describe the CyberAv3ngers as a group that has focused on Israeli-made industrial equipment and demonstrated both the capability and intent to disrupt critical services. That attribution moves the threat from hacktivist-style vandalism into the category of state-linked operations backed by Iran’s military intelligence apparatus.
A separate CISA alert from November 2023 provides the most granular public account of a confirmed breach. At the Aliquippa facility, a Unitronics Vision Series PLC was actively exploited. Operators took the compromised controller offline and switched to manual operations to maintain water service. CISA confirmed there was no known risk to drinking water from that particular incident. But the alert also disclosed a detail that reframed the entire threat: Unitronics PLCs ship with a default password of “1111” and communicate over TCP port 20256, meaning any facility that never changed the factory credential was exposed to a relatively low-skill intrusion.
That default-password problem is central to understanding why this campaign succeeded. The attackers did not need zero-day exploits, custom malware, or advanced tradecraft for initial access. They scanned for exposed Unitronics devices on the open internet, attempted a basic login with a known default, and pivoted from there. For water utilities operating with lean IT staffs, limited cybersecurity budgets, and aging operational technology, this gap turned a geopolitical cyber campaign into a domestic operational emergency.
The most recent federal guidance, advisory AA26-097A issued jointly by the EPA, FBI, CISA, and NSA, confirms that the threat remains active as of 2026. The advisory references exploitation across drinking water and wastewater organizations and frames the risk as ongoing rather than historical. While the document is tailored to the water sector, its technical indicators and mitigation steps apply broadly: Unitronics PLCs also appear in wastewater treatment, industrial manufacturing, and parts of the energy sector. The cross-sector applicability reinforces that the campaign is opportunistic. The attackers are going after a vulnerable product line wherever it is reachable, not targeting one specific utility.
What remains uncertain
No public accounting exists of how many U.S. water systems have been compromised beyond Aliquippa. The AA26-097A advisory references exploitation across organizations in the plural, yet specific facility counts, geographic distribution, and severity grades have not been disclosed. Whether that silence reflects classification constraints, incomplete forensics, or a deliberate effort to avoid public alarm is not clear from available documents.
The precise relationship between the CyberAv3ngers persona and formal IRGC command structures also lacks full public documentation. The federal attribution ties the group to IRGC-affiliated actors, but the chain of authority is not spelled out. Whether these operators act on direct orders, receive broad strategic guidance, or function as loosely aligned proxies remains an open question. In February 2024, the U.S. Treasury Department sanctioned six IRGC officials connected to CyberAv3ngers, reinforcing the state-linked designation but still leaving the operational hierarchy partially opaque.
Scale is the largest unknown. No primary government dataset enumerating the total installed base of Unitronics PLCs in U.S. critical infrastructure has been released publicly. Industry estimates from firms like Dragos and Claroty suggest PLCs broadly dominate the endpoint landscape in operational technology, but the specific share held by Unitronics versus competitors like Allen-Bradley or Siemens varies by sector and region. Without a verified baseline, the true blast radius of a coordinated exploitation campaign is difficult to quantify, especially when many smaller utilities may not have full inventories of their own operational technology.
Whether any intrusion has progressed beyond initial access to actual manipulation of water treatment processes is also unresolved. CISA’s language about the Aliquippa breach – “no known risk to drinking water” – applies to one facility at one point in time. Whether other compromised systems experienced chemical dosing changes, pressure fluctuations, or data integrity issues has not been addressed in public advisories. Investigators may not have completed forensic analysis across all affected sites, or findings may remain restricted to law enforcement and intelligence channels.
Detection gaps compound the uncertainty. Many small and midsize utilities lack continuous monitoring of their operational networks, meaning subtle intrusions could go unnoticed for months. The advisories urge utilities to review logs but do not indicate how many organizations actually have the logging depth needed to reconstruct past activity. The known incidents may represent only the cases where attackers were noisy or encountered defenders with stronger visibility.
What utilities and regulators are doing now
The EPA has used its authority under the Safe Drinking Water Act to push cybersecurity assessments into routine sanitary surveys for public water systems, though enforcement has faced legal challenges from state attorneys general and industry groups who argue the agency overstepped its regulatory mandate. In March 2024, the EPA withdrew a memorandum that would have required states to evaluate cybersecurity practices during those surveys, citing litigation. The agency has since shifted to voluntary guidance and technical assistance through partnerships with CISA and the Water Information Sharing and Analysis Center, known as WaterISAC.
Congress has also taken incremental steps. The Cyber Incident Reporting for Critical Infrastructure Act, signed into law in 2022, will eventually require water utilities to report significant cyber incidents to CISA, but the rulemaking process for final reporting requirements has extended into 2025 and 2026. Until those rules take effect, reporting remains largely voluntary, which means the federal government’s visibility into the full scope of water-sector compromises depends on utilities choosing to come forward.
At the facility level, the immediate checklist from CISA is straightforward: inventory all Unitronics devices, change default passwords, restrict or close TCP port 20256, remove PLCs from direct internet exposure where possible, and monitor for known indicators of compromise. Those steps offer meaningful risk reduction even without a full network redesign. But for the roughly 50,000 community water systems in the United States, many of which serve populations under 10,000 and operate with annual cybersecurity budgets near zero, executing even basic mitigations requires resources and expertise that may not exist on staff.
Why default passwords remain a structural problem
The Unitronics “1111” default is not an anomaly. Industrial control systems across manufacturers have historically shipped with weak or nonexistent authentication, a legacy of an era when these devices sat on isolated networks with no internet connectivity. As utilities modernized and connected PLCs to broader networks for remote monitoring and efficiency, the security assumptions baked into the hardware did not keep pace. The result is a sprawling attack surface where sophisticated nation-state actors can gain footholds using techniques that would barely qualify as hacking in a traditional IT environment.
Unitronics has issued guidance urging customers to change default credentials and restrict network access to its Vision and Samba series controllers. But the responsibility for applying those changes falls on thousands of individual operators, many of whom purchased the equipment years ago and may not track vendor advisories. The gap between a manufacturer issuing a security recommendation and every end user implementing it is where campaigns like CyberAv3ngers thrive.
For the public, the takeaway is not that tap water is currently unsafe. Federal agencies have been explicit that no drinking water contamination has been linked to these intrusions. The concern is structural: critical infrastructure security in the water sector often hinges on basic cyber hygiene that has not been universally adopted. Iranian-linked actors have documented that weakness and demonstrated willingness to exploit it. Federal agencies have now named the threat, published the indicators, and handed operators a remediation playbook. Closing the gap requires thousands of local utilities to act on that guidance before the next scan finds another PLC still running on “1111.”
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
