- in Canada
What You Need to Know
Key takeaway #1
Iran-affiliated threat actors are actively targeting and exploiting programmable logic controllers (PLCs) used in internet-connected operational technology (OT) devices across the water and waste, energy, and government services and facilities sectors.
Key takeaway #2
Multiple organizations in U.S. critical infrastructure sectors have experienced operational disruptions and financial losses from the Iranian threat actors' exploitation of these controllers.
Key takeaway #3
Network defenders should immediately identify exposed PLCs, disconnect them from the internet or harden them without delay, review logs for indicators of compromise, and update their incident response plans to ensure coverage of both OT, IT, and business systems.
Background
On April 7, 2026, six federal agencies (FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command – Cyber National Mission Force) published a joint advisory warning that Iranian-affiliated threat actors are targeting internet-facing OT devices, particularly PLCs. In some cases, the threat actors have caused operational disruptions and financial losses at U.S. critical infrastructure organizations by manipulating software files that contain configuration settings as well as showing false data on hardware and software dashboards and displays.
This campaign builds on a wave of intrusions beginning in November 2023 during which actors assessed to be affiliated with Iran's Islamic Revolutionary Guard Corps Cyber Electronic Command, known by aliases including CyberAv3ngers, Hydro Kitten, Bauxite, and several others, compromised at least seventy-five Unitronics PLC devices across U.S. critical infrastructure. The 2026 campaign, active since at least March, targets a different class of equipment and appears broader in scope.
With the ongoing conflict, the advisory notes that targeting campaigns against U.S. organizations have escalated. Recent guidance suggests that Iran-affiliated threat actors are moving beyond pre-positioning and covert espionage to deploying attacks and causing operational disruptions and financial losses.
What Operators Should Do
- Remove PLCs and other OT devices from direct internet exposure. This is the primary recommendation. If a PLC or other OT device is reachable from the public internet without a controlled intermediary (a firewall, secure gateway, or virtual private network (VPN)), that exposure should be closed now. Additionally, for PLCs that have a physical mode switch or software key switch that prevents remote modifications, those should be activated. Network defenders should also create offline backups of the logic and configuration of their PLCs for faster recovery.
- Secure the OT network if internet access is required. This includes implementing multifactor authentication for access to the OT network; updating PLC devices with the latest software patches from the manufacturer; blocking traffic using common ports that are unnecessary for regular use; and implementing and monitoring asset management systems that monitor device configuration changes.
- Review logs against the advisory's published indicators of compromise. The advisory provides IP addresses and vulnerable ports that are indicative of potential compromise. Organizations should maintain OT network traffic logs and review logs for the indicators of compromise in the provided timeframes.
How Crowell Can Help
Crowell is happy to assist clients navigating the legal and regulatory dimensions of this advisory. If you have questions, want to assess your compliance posture, or need assistance developing or testing an incident response plan, please reach out to the authors of this alert or your regular Crowell contact. We are available on an urgent basis for clients facing active incidents or time-sensitive compliance decisions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
