On 7 April 2026, several U.S. federal agencies, including the Environmental Protection Agency and the Cybersecurity and Infrastructure Agency, released a joint cybersecurity advisory concerning the exploitation of programmable logic controllers from Rockwell Automation by actors affiliated with Iran. These hackers are targeting critical infrastructure, including water and wastewater utilities, leading to operational disruptions and financial losses. This increase in malicious activity is linked to the ongoing conflict and geopolitical tensions between the U.S. and Iran. To mitigate these risks, the advisory recommended that organizations “air gap” their systems by removing programmable logic controllers from public internet exposure and closely monitoring access to these controllers.
This advisory follows previous alerts issued by the Cybersecurity and Infrastructure Agency from 2023 to 2025 concerning threats from Iranian state-sponsored actors. Since 2023, the Iranian group CyberAv3ngers has compromised 75 Unitronic devices across the globe, including 34 in U.S. water utilities. Additionally, a prior alert from the Cybersecurity and Infrastructure Agency in September 2025 highlighted persistent vulnerabilities in Rockwell Automation’s Micro800 controllers.
