Somewhere in the United States right now, Iranian-linked hackers have access to the computerized controllers that regulate how chemicals are dosed into drinking water and how electricity moves through the grid. That is not a hypothetical scenario. It is the explicit warning from a series of joint federal advisories, the most recent issued in spring 2026 by six agencies, including the FBI, the EPA, CISA, and the NSA, alongside cybersecurity partners in Canada and Australia.
The advisories confirm that hackers affiliated with Iran’s Islamic Revolutionary Guard Corps have penetrated programmable logic controllers, the industrial hardware that automates physical processes inside water treatment plants, power facilities, and government service networks. Some U.S. organizations have already experienced disruption. And the campaign, which federal agencies have tracked since late 2023, is not over. It is ongoing.
What is verified so far
The trail of evidence starts with a specific piece of equipment. In November 2023, CISA flagged the exploitation of Unitronics programmable logic controllers at a U.S. water facility. Unitronics PLCs are workhorses of the water industry, used to automate chemical dosing, pressure regulation, and pump operations at utilities across the country. Hackers had broken directly into these devices, gaining a foothold inside the physical machinery that keeps tap water safe.
That breach was not isolated. A broader joint advisory from CISA, the FBI, the NSA, the EPA, and allied governments named IRGC-linked cyber operators as the group behind PLC exploitation across multiple sectors. The advisory tied the activity to a group operating under the CyberAv3ngers persona, which has publicly claimed responsibility for attacks on Israeli and Western infrastructure. The Municipal Water Authority of Aliquippa, Pennsylvania, confirmed publicly that it was among the facilities hit in that wave, with attackers defacing a Unitronics controller screen with an anti-Israel message.
By 2024, the campaign had expanded well beyond opportunistic PLC targeting. A joint advisory published by CISA alongside the FBI, NSA, and intelligence agencies from Canada and Australia documented Iranian cyber actors using brute-force attacks and credential theft to compromise critical infrastructure organizations, including those in the energy sector. A separate advisory from CISA, the FBI, and the Department of Defense Cyber Crime Center detailed Iran-based intrusion activity through at least August 2024, cataloging specific tools and webshell code used to maintain persistent, long-term access inside U.S. networks.
The most recent advisory in this series, issued in spring 2026, builds directly on that foundation. According to the EPA’s announcement, U.S. organizations are “experiencing exploitation” and, in some cases, disruption. EPA leadership framed the threat in public-health terms, drawing a direct line between compromised water infrastructure and risks to drinking water safety. The United States has roughly 50,000 community water systems, according to EPA data, and many of the smallest ones operate with no dedicated cybersecurity staff at all.
What remains uncertain
No public federal document has disclosed how many U.S. facilities have been compromised or what “disruption” has looked like on the ground. That word could describe anything from a brief operational hiccup to serious interference with water treatment or power delivery. Without specifics, the scale of real-world harm to communities remains an open question.
Attribution carries its own layers of complexity. The advisories tie the activity to IRGC-affiliated actors and the CyberAv3ngers persona, but they do not identify specific IRGC units or individual operators. Whether these hackers are direct IRGC employees, contractors, or loosely affiliated groups acting with state tolerance is not spelled out in the public record. Iran’s government has not publicly acknowledged the campaign.
Intent is similarly unresolved. Gaining access to a programmable logic controller is not the same as using it to poison a water supply or shut down a power plant. Federal agencies have not publicly stated whether the intrusions represent pre-positioned sabotage capabilities meant to be activated during a geopolitical crisis, intelligence-gathering operations, or something else. The distinction matters enormously: it shapes both the urgency of the response and the appropriate policy reaction. Some of the advisories document Iranian actors enabling ransomware attacks on U.S. organizations, which suggests a financial motive running alongside any strategic one. Whether the PLC campaign serves the same dual purpose has not been confirmed.
There is also a basic question about how these systems were breached. The Unitronics-focused alerts emphasize weak or unchanged default passwords and internet-facing interfaces left exposed, the kind of vulnerabilities that basic cyber hygiene can fix. But the later advisories describe more sophisticated credential theft and persistence mechanisms. That mix makes it hard to say how much of the current risk could be addressed through simple password changes versus deeper architectural overhauls of industrial networks.
How to weigh the evidence
The strongest pieces of evidence here are the joint advisories themselves. Co-signed by multiple federal agencies and, in several cases, by allied governments, each advisory contains technical indicators of compromise, specific tactics and tools, and sector-level targeting data. These are primary operational documents with the institutional weight of agencies that have direct visibility into the intrusions.
The EPA’s public framing adds a dimension that purely technical advisories lack. By describing the threat in terms of drinking water safety and public health, the agency is speaking directly to the operators of those roughly 50,000 community water systems, many of which run on tight budgets and aging infrastructure. The EPA’s involvement signals that the federal government views this as an environmental and public health crisis, not just a national security concern.
Readers should distinguish between the confirmed technical exploitation and the broader strategic narrative. The technical evidence, including specific PLC models targeted, brute-force credential attacks documented, and webshell tools cataloged, is concrete and directly supported by published indicators of compromise. Claims about long-term geopolitical intent, potential wartime activation of access, or the exact role of Iranian state institutions involve inference and remain only partially illuminated by what has been made public.
What operators and the public should know
For critical infrastructure operators, the practical message from every advisory in this series is consistent: remove default passwords on PLCs, segment operational technology networks from the public internet, monitor for the listed indicators of compromise, and apply available firmware and software updates. Agencies also stress the importance of reporting incidents to federal partners like CISA, which allows analysts to correlate intrusions across sectors and sharpen future guidance.
For the broader public, the picture calls for seriousness without panic. The verified facts show that Iranian-affiliated actors have obtained access to some industrial control systems and, in certain cases, caused disruption. They do not show, at least in publicly released documents, successful mass contamination of water supplies or sustained blackouts. The risk is serious because of what these systems control and because access has already been demonstrated. But the actual impact described in federal sources so far appears limited and episodic rather than catastrophic.
What Congress and small utilities still have not addressed
The Aliquippa breach in 2023 drew national attention, but the broader response from both lawmakers and the water sector has been slow. As of mid-2026, Congress has not passed dedicated legislation to fund cybersecurity upgrades for the thousands of small and mid-size water utilities that remain most exposed. The EPA has issued guidance and enforcement actions urging compliance with existing Safe Drinking Water Act authorities, but the agency’s own attempts to mandate cybersecurity assessments through regulatory action faced legal challenges from state attorneys general and industry groups in 2024, resulting in the withdrawal of a proposed rule. On the utility side, many small systems still lack the budgets, staff, and technical expertise to implement even the basic defensive steps the advisories recommend. Whether federal funding, new legislation, or private-sector partnerships will close that gap remains one of the most consequential unanswered questions in this ongoing campaign.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
