CLAIMS
Log In

Operational Technology Security and the Iranian Cyber Threat

enduris flame grey

What Critical Infrastructure Members Need to Know

Critical Infrastructure Security Bulletin  •  April 2026

The geopolitical landscape shifted dramatically on February 28, 2026, when U.S. and Israeli military operations against Iranian nuclear and military infrastructure triggered a sharp escalation in Iranian state-sponsored cyber activity. For members operating in the energy, utility, and water sectors, the threat is no longer theoretical. Iranian cyber actors have demonstrated both the capability and the intent to target Operational Technology (OT) systems—the same industrial control systems that regulate power grids, pump stations, and water treatment facilities across the country.

This article provides an overview of the current threat environment, explains why OT environments are particularly at risk, and outlines concrete steps your organization can take today to reduce its exposure.

Iran’s Evolving Cyber Capabilities

Iran’s cyber program is no longer a fringe concern—it is a mature, multi-layered apparatus. The Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS) operate advanced persistent threat (APT) groups with a well-documented history of targeting U.S. critical infrastructure. These state actors are augmented by a broad network of hacktivist proxy groups that can be activated rapidly in response to geopolitical events.

One group in particular warrants close attention: CyberAv3ngers, an IRGC-affiliated cyber persona that has repeatedly claimed responsibility for attacks on water and energy infrastructure in the United States and Israel. This group gained notoriety beginning in late 2023 when it actively compromised Unitronics Vision Series programmable logic controllers (PLCs) and human-machine interfaces (HMIs) at multiple U.S. water and wastewater facilities—gaining access to systems that directly control physical processes.

Since that campaign, Iran’s targeting has only expanded. A CISA advisory confirmed that Iranian-affiliated actors had gained SCADA access at six U.S. water utilities serving a combined population of over 3 million people. As of early 2026, intelligence agencies report heightened pre-positioning activity across energy and water sector OT networks.

Why OT Environments Are a Prime Target

Operational Technology—the hardware and software that monitors and controls physical infrastructure—presents a uniquely challenging security profile. Unlike traditional IT systems, OT environments were often designed decades ago with availability and reliability as the primary concerns, not cybersecurity. The result is an attack surface with several systemic vulnerabilities that Iranian actors have learned to exploit:

  • Internet-exposed devices: Tens of thousands of ICS devices—including PLCs, HMIs, and SCADA terminals—remain directly reachable over the public internet, often with default or weak credentials. Specific device types confirmed as currently targeted include Unitronics Vision PLCs, Red Lion equipment, and the Tridium Niagara framework.
  • Legacy systems and limited patching cycles: Many OT systems cannot be easily patched or updated without disrupting operations. Known vulnerabilities persist for months or years, providing adversaries with a reliable entry point.
  • IT/OT convergence: As utilities have integrated their operational networks with corporate IT infrastructure for remote monitoring and efficiency, the traditional “air gap” that once protected OT systems has eroded. A compromise in the IT environment can now serve as a pivot point into OT.
  • Under-resourced security programs: Water utilities and smaller energy operators frequently lack dedicated OT security staff and operate on security budgets that cannot keep pace with evolving threats.

 

Iranian threat actors have shown a clear understanding of these weaknesses. Their documented tactics include exploiting default credentials, using legitimate system engineering and diagnostic tools to move laterally within OT networks, supplanting existing ladder logic in PLCs with their own code, and disabling remote access functions to prevent operators from regaining control.

The Current Threat Posture

Following the February 28, 2026 military escalation, CISA issued an emergency advisory warning all U.S. critical infrastructure operators of an elevated and imminent Iranian cyber threat, specifically calling out water systems and energy infrastructure as the highest-risk targets. Intelligence analysts have observed over 60 Iran-aligned hacktivist groups activate in the days since, initiating reconnaissance, distributed denial-of-service (DDoS) campaigns, and targeted intrusion attempts.

The current threat posture is not primarily about dramatic, immediately visible attacks. Iranian actors are known to prioritize pre-positioning—quietly gaining and maintaining access to OT environments in advance of a potential decision to cause disruption. The concern for energy and water utilities is that access may already exist in some networks, waiting to be leveraged.

Immediate Actions for Members

CISA, FBI, and sector-specific agencies have issued consistent guidance for organizations operating OT environments. Members should prioritize the following steps:

  • Audit internet-facing OT devices immediately. Identify all PLCs, HMIs, and SCADA systems with direct internet exposure. Where possible, disconnect them from the public internet. If remote access is operationally necessary, place a firewall or VPN in front of the device and enforce deny-by-default access rules.
  • Change all default passwords. Iranian actors have repeatedly exploited default credentials—most notably the factory default password on Unitronics PLCs. Ensure all OT devices, including those that have been in service for years, are using strong, unique passwords.
  • Enforce multi-factor authentication (MFA) for all remote OT access. Credential-based attacks are far less effective when MFA is in place. Prioritize phishing-resistant MFA (e.g., hardware tokens or FIDO2-based methods) for any account that can reach OT systems.
  • Review and segment OT network architecture. Evaluate the boundaries between your IT and OT environments. Implement network segmentation so that a compromise in your corporate network cannot directly reach your operational systems. Review firewall rules for any unnecessary connectivity between IT and OT zones.
  • Establish or review your OT incident response plan. Ensure your team knows the steps to isolate affected systems without disrupting critical service delivery. Identify manual override capabilities for key processes and confirm they are functional.
  • Report anomalies promptly. Any unusual activity in OT environments—unexpected configuration changes, unfamiliar remote logins, or device behavior inconsistent with normal operations—should be reported to CISA (via cisa.gov/report) and your sector’s information sharing and analysis center (ISAC).

 

Looking Ahead

The conflict with Iran has entered a phase where cyber operations are an integral part of the strategic toolkit—not a secondary consideration. For critical infrastructure operators, the question is no longer whether adversaries are attempting to gain access, but whether your defenses are sufficient to detect and contain those attempts.

The good news is that the highest-impact protections—removing unnecessary internet exposure, eliminating default credentials, and enforcing MFA—are achievable without large capital investments. The organizations that act on these measures now will be significantly better positioned than those that wait.

We encourage all members to review the latest CISA advisories, engage with your regional ISAC, and reach out if you need support assessing your OT security posture. This is a moment that calls for vigilance—and action.

If your organization experiences a cyber incident, do not hesitate to contact Enduris immediately. As your member-owned risk pool, Enduris is here to help you navigate the response process—from initial containment and evidence preservation to coordinating legal counsel and forensic specialists. Early notification is critical: timely reporting helps protect your coverage, limits the scope of the incident, and ensures you have the right expertise engaged from the start. You can reach Enduris at enduris.us or by calling our office directly at 1-800-462-8418. You don’t have to face a cyber incident alone—that’s what membership is for.

 

Additional Resources

CISA Iran Threat Overview: https://cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/iran

CISA Advisory AA23-335A (IRGC PLC Exploitation): https://cisa.gov/news-events/cybersecurity-advisories/aa23-335a

CISA Advisory AA24-290A (Brute Force & Credential Access): https://cisa.gov/news-events/cybersecurity-advisories/aa24-290a

WaterISAC: https://waterisac.org

E-ISAC (Electricity): https://eisac.com

enduris flame grey

CONTACT US TODAY