As tensions in the Middle East continue to shift among military escalation, ceasefire arrangements and diplomatic negotiations, Iranian-linked cyber actors remain a persistent source of risk for U.S. electric, water and municipal utilities. Iran’s interest in targeting operational technology (OT) as a mechanism of asymmetric warfare is not new. For more than a decade, the U.S. intelligence community has warned that Iran poses a cyberthreat to the critical infrastructure of the U.S. and its allies. What has changed is the maturity and operational relevance of those capabilities.
In 2024, Iran-affiliated actors demonstrated they could access and manipulate U.S. control systems across water, wastewater and energy environments. Those incidents were limited in scope, but they demonstrated that Iran is developing capabilities to affect visibility, control and operations at a time of its choosing. By 2026, government advisories and technical analyses now point to more dangerous and scalable demonstrations of those capabilities. Combined with persistent exposure of internet-facing OT assets, this progression raises the stakes for the safe and reliable delivery of essential services.
It is vital to understand what has changed, why it matters to utility operators, and how utilities can take meaningful, practical steps to reduce this risk without disrupting operations.
From Warnings to Real-World Operations
A key lesson from this conflict is that these cyber risks do not disappear with ceasefire agreements or the resumption of diplomatic talks. Nation-state actors such as Iran will continue reconnaissance, access development and opportunistic targeting of exposed systems to maintain options for future operations. U.S. utilities should not view a lull in hostilities as a reason to shift attention elsewhere. Instead, they should take advantage of this moment to identify and address vulnerabilities that provide capable actors a direct route to systems that support essential services, particularly internet-exposed OT access paths.
An April 2026 joint cybersecurity advisory led by the Cybersecurity and Infrastructure Security Agency (CISA) warned of ongoing exploitation targeting internet-facing OT devices, including programmable logic controllers (PLCs). The advisory reports disruptions across multiple U.S. critical infrastructure sectors, including government services and facilities (including local municipalities), water and wastewater systems, and energy.
According to the authoring agencies, this activity has led to PLC disruptions through malicious interactions with the project file and manipulation of data displayed on human-machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss.
Utility operators should immediately recognize that when OT devices are exposed to the internet, cyberthreats can move quickly from initial access to malicious effects faster than human defenders can respond.
The Exposure Problem Utilities Can’t Ignore
Independent scanning and exposure analysis in response to the CISA advisory reinforces the exposure problem. Thousands of internet-facing OT devices remain reachable from the internet. Specifically, according to Censys’ exposure analysis, in the United States alone roughly 3,900 Rockwell Automation PLCs appear to be internet-exposed, many of which are connected through cellular networks that support remote field assets.
These setups are common in public power systems, water utilities and midsize municipal organizations, driven by distributed assets, remote locations and limited staffing. When legacy remote access remains exposed to the internet, it creates a direct pathway for adversaries to reach operational systems and disrupt operations on their timeline.
Utilities must manage their own exposure in the face of continuously changing geopolitics and evolving threats. Closing obvious internet-facing OT access paths is one of the fastest ways to buy down high-consequence risk before an attack disrupts essential services.
Capability Plus Exposure Equals Consequence
High-consequence OT risk tends to emerge when two conditions are present at the same time: a capable adversary with OT-specific tradecraft, and environments that were built for availability and safety, not to contend with preventing sustained hostile interactions.
When those conditions align, loss of operator visibility, unexpected control modifications and forced transitions to manual operations can quickly create reliability and safety challenges in systems with little tolerance for uncertainty.
Because OT asset exposure is the factor that utilities can control most directly, reducing internet reachability and tightening OT access paths are among the highest-leverage ways to reduce the attack surface.
Reducing Risk Without Disrupting Operations
Federal guidance points utilities toward the right fundamental actions: Segment networks to reduce or eliminate direct internet reachability of control system components, implement secure remote access where connectivity is required, strengthen authentication, and maintain accurate OT asset inventories. The challenge is execution in live environments where uptime, safety and field operations come first, and where utilities may not have the resources or technical know-how for effective implementation of these security controls.
Effective risk reduction starts with alignment with how your plant or systems operate. That means understanding who needs remote access, what devices are exposed, how changes are made and what normal OT traffic looks like. Done well, this becomes a joint effort across engineering, operations and security, with controls designed around operational reality rather than IT assumptions. Logical steps include:
- Putting guardrails around remote access by reducing direct internet reachability and applying strong authentication where connectivity is operationally required.
- Building a reliable OT asset and exposure baseline so teams know what is reachable, what is critical and what to address first.
- Establishing a routine verification process to continuously validate the organization’s public attack surface and confirm that no OT-facing access paths have become internet-reachable.
- Strengthening OT boundaries and monitoring around critical process networks, so abnormal access attempts are detected early and contained before they become operational events.
Nation-state cyber pressure on OT is rising, but utilities do not have to respond with guesswork or disruption. Focused exposure assessments, OT-informed road maps and mitigation support that fits how your systems function are clear operations-first steps to reduce OT exposure.
