Iran's Cyber Campaign Is Hitting Physical Infrastructure

PLCs Under Attack

On April 7, 2026, CISA, the FBI, NSA, EPA, Department of Energy, and U.S. Cyber Command issued a joint advisory: Iranian-affiliated hackers are actively targeting programmable logic controllers across U.S. critical infrastructure (CISA Advisory AA26-097A). The attacks have already caused operational disruption and financial loss at multiple organizations.

This isn't theoretical. It's happening now.

What's Being Targeted

Since at least March 2026, an Iranian APT group has exploited internet-connected Rockwell Automation PLCs -- specifically CompactLogix and Micro850 models -- deployed in water treatment, energy, and government facilities (TechCrunch).

The attacks:

• Disrupt PLC functionality, taking devices offline or altering their behavior
• Manipulate display data on human-machine interfaces and SCADA systems, making operators think systems run normally when they don't
• Target facilities with internet-exposed PLCs, exploiting known vulnerabilities rather than advanced zero-days

The campaign links directly to the broader U.S.-Iran military conflict that began February 28, 2026. Iranian state-aligned groups operating under the "Electronic Operations Room" -- formed the same day as the initial U.S.-Israel strikes -- have claimed responsibility for multiple attacks (Palo Alto Unit 42).

Why This Matters Beyond Cyber

When a PLC goes down at a water treatment plant, the problem isn't digital -- it's physical. Untreated water, pressure failures, contamination risk. When attackers manipulate a PLC at an energy facility, the downstream effects hit hospitals, data centers, and manufacturing lines that depend on stable power.

NERC, the body responsible for North American grid reliability, confirmed it is "actively monitoring the grid" following this advisory (Utility Dive).

The pattern is clear: cyber attacks on operational technology create physical consequences. For infrastructure operators, the boundary between "cyber incident" and "operational disruption" no longer exists.

What to Do Now

• Audit internet exposure. The CISA advisory's top recommendation: remove PLCs from direct internet access immediately. Place them behind firewalls and secure gateways.
• Check your Rockwell Automation inventory. CompactLogix and Micro850 devices are specifically named. If you run them, patch and isolate now.
• Bridge cyber and physical risk monitoring. A cyber breach at a physical facility creates a compound event. Teams monitoring physical risk -- weather, civil unrest, supply disruption -- need to coordinate with IT and OT security teams. Orion provides the physical and geopolitical risk layer that complements cyber monitoring tools, giving infrastructure operators a fuller picture of compound threats.
• Watch for escalation. The U.S.-Iran conflict is not resolved. Expect continued cyber operations against Western-aligned infrastructure as long as hostilities persist.

Wrapping Up

This is a live campaign, not a forecast. If you operate critical infrastructure, treat this advisory as urgent. Request a demo to see how Orion monitors the geopolitical conditions that drive these campaigns.