Skip to content 
A new federal alert has sharpened attention on one of the oldest and most dangerous problems in industrial cybersecurity: programmable logic controllers, or PLCs, left reachable from the public internet.
In early April 2026, CISA and partner agencies warned that Iranian-affiliated actors were actively targeting U.S.-based PLCs tied to critical infrastructure, with disruptive effects already reported across multiple sectors.
For utilities, especially smaller operators with limited security staff, the message was blunt: Internet exposure has turned ordinary operational equipment into an attack path.
What Matters Most
- Exposed PLCs give attackers a direct path into utility operations.
- Federal agencies say Iranian-linked actors are actively targeting U.S. systems.
- Smaller utilities face higher risk because of legacy tools and limited staffing.
- Closing internet exposure and tightening remote access are urgent first steps.
Why PLC Exposure Matters So Much
PLCs are small industrial computers that control real-world processes. In utility environments, they can help regulate pumping, switchgear, pressure, chemical dosing, generation equipment, and other core functions.
When one of those devices sits behind strong segmentation and tightly managed remote access, compromise becomes harder. When one is exposed to the internet, an intruder may gain a direct shot at equipment that affects physical operations, not merely office files or email accounts.
EPA and CISA made a similar point in a late-2024 fact sheet on internet-exposed HMIs, warning that exposed OT interfaces can allow unauthorized users to view control screens, change settings, and disrupt water or wastewater treatment processes.
That risk is no longer theoretical. The April 2026 advisory says malicious activity has already led to PLC disruptions across several U.S. critical infrastructure sectors.
Reuters reported that U.S. officials tied the campaign to a broader escalation in Iranian hacking against American critical infrastructure, including water and energy systems.
Wired reported that the campaign has moved beyond nuisance activity and toward more serious operational sabotage.
What CISA and Partner Agencies Warned About
The advisory, issued with the FBI, NSA, EPA, Department of Energy, and U.S. Cyber Command, focused on ongoing threat actor activity against U.S.-based PLCs.
Search results from the advisory show inbound malicious traffic aimed at industrial ports including 44818, 2222, 102, 22, and 502.
CISA also warned that port targeting suggested interest beyond one vendor family, with signs that actors may be probing Rockwell Automation and Allen-Bradley devices as well as equipment associated with Siemens and Modbus-based environments.
Federal guidance around immediate mitigation was practical rather than flashy. Agencies urged operators to remove PLCs from direct internet exposure, place systems behind VPNs or gateway devices that can support multifactor authentication, review logs for suspicious traffic, and harden remote access.
A March 2026 EPA water-sector alert echoed the same priorities: limit PLC exposure to the public internet, keep controllers in run mode to block remote modification where appropriate, and replace default passwords with strong unique credentials.
A Problem Utilities Have Been Warned About for Years
View this post on Instagram
April’s alert did not appear out of nowhere. In March 2024, Reuters reported that the U.S. government warned governors that foreign hackers were carrying out disruptive cyberattacks against water and wastewater systems.
That letter pointed to the Aliquippa, Pennsylvania water facility incident, where hackers linked to Iran disabled a controller and left a taunting message on the compromised system.
No water service damage was reported there, but the incident showed how a lightly defended operational device could become a geopolitical target.
Late in 2024, EPA and CISA issued another fact sheet, warning that pro-Russia hacktivists had manipulated internet-exposed HMIs at water and wastewater systems, maxing out set points, changing passwords, turning off alarms, and forcing operators into manual operations.
In other words, exposed industrial access points had already become a repeat pattern across more than one threat actor set.
Why Utilities Remain Vulnerable
Part of the answer is structural. Many utility environments still rely on legacy systems, limited staffing, and vendor-driven remote access arrangements built for convenience years ago.
Reuters reported in 2024 that cyberattacks on U.S. utilities had surged nearly 70% year over year, rising to an average of 1,162 attacks through August from 689 during the comparable period in 2023.
Reporting in that same piece also noted that the grid’s growing digital footprint is creating more potential entry points, while some experts view existing compliance standards as a floor rather than a full defense model.
Another problem is visibility. Dragos said in its 2026 OT report that adversaries are progressing from reconnaissance to operational disruption and are increasingly mapping entire industrial control environments rather than poking at isolated devices.
Dragos also reported a 49% year-over-year rise in ransomware groups targeting industrial organizations and said incident responders directly observed threat activity at U.S. electric and water utilities in 2025.
Where Risk Usually Builds Up
| Risk area | Why it matters |
| Internet-exposed PLCs or HMIs | Gives attackers a direct route toward operational equipment |
| Default or weak passwords | Makes intrusion far easier, especially against known devices |
| Flat OT networks | Lets an intruder move farther after initial access |
| Uncontrolled remote access tools | Expands entry points for vendors, contractors, or attackers |
| Poor logging and asset inventory | Slows detection and response during a live incident |
EPA and CISA guidance on exposed HMIs supports every line in that table, especially around inventory, password changes, segmentation, MFA, allowlisting, and login monitoring.
What Utility Operators Should Be Doing Now
For operators, the first question is simple: which devices are reachable from the internet right now? CISA’s exposure-reduction guidance and related water-sector materials keep returning to the same sequence. Inventory exposed assets.
Remove public-facing access wherever possible. Put remote connectivity behind a secured gateway or bastion host. Require MFA. Segment OT from business IT. Keep patches current. Watch logs for access at odd hours or from suspicious sources.
For smaller municipal and cooperative utilities, a complete modernization program may be unrealistic in the near term. Even so, some high-value fixes do not require a massive overhaul. Closing exposed ports, retiring default credentials, restricting vendor access to approved IP ranges, and separating HMIs from public networks can remove the easiest paths first.
Federal agencies have also pointed utilities toward free vulnerability scanning and technical assistance, which matters for resource-constrained operators.
Regulation Helps, but It Does Not Remove the Problem
Power-sector cyber rules continue to evolve. FERC approved Reliability Standard CIP-015-1 in 2025 for internal network security monitoring, and March 2026 commission materials show ongoing action around CIP-003-11 for security management controls.
NERC’s 2026 CIP Roadmap also argues for targeted, risk-driven evolution of standards and broader use of measures such as multifactor authentication. All of that is useful, but even good standards cannot save an operator that leaves critical controls openly accessible.
Final Take
CISA’s alert landed because exposed PLCs remain one of the clearest bridges between cyber intrusion and physical disruption. Utilities do not need a dramatic Hollywood-style attack to suffer real harm.
A single exposed controller, a stale password, or a poorly managed remote access link can be enough to force manual operations, service interruption, or expensive recovery.
Federal warnings have been consistent for more than two years. April 2026 added fresh urgency, and for many operators, urgency is already overdue.
