Experts have contended that US critical infrastructure is far too exposed to online threats—particularly Internet-connected “programmable logic controllers,” which can cause catastrophic damage if hacked.

Only a week after the White House announced it wouldcut the budget for the Cybersecurity and Infrastructure Security Agency (CISA) by $707 million, multiple agencies, including CISA, the FBI, and the NSA, issued a joint warning that Iranian-linked hackers were actively targeting critical infrastructure across the United States.

The state-supported actors have focused their efforts on water, wastewater, energy, and government systems.

“Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices,” the intelligence community’s joint warning stated. The agencies co-authoring the report—CISA, the FBI, the NSA, the EPA, the Department of Energy, and the Cyber National Mission Force—added that Iranian cyber activity had escalated since last month, with confirmed incidents resulting in operational disruptions and financial losses.

According to the agencies, the attacks have specifically targeted Internet-exposed “programmable logic controllers” (PLCs) and “industrial control systems” (ICSs) used to operate infrastructure, particularly PLCs manufactured by Rockwell and Allen-Bradley. Threat actors have been observed manipulating system data and extracting project files, with the stated intent of causing disruptive effects within US systems.

US government officials said the campaign spans multiple sectors and organizations nationwide, though the total number of impacted entities has not been disclosed.

“The threat of cyberattack from Iran is real,” Andrew Chipman, GRC manager at cybersecurity consulting company ProCircular, told The National Interest.

Chipman added that the US could expect to see that threat realized through proxies, hacktivists, and other allies to the Iranian regime.

“If Iran is able to build back their regime, we may see direct retaliation from Iran in the form of cyber-attacks against highly visible targets,” Chipman said. “History teaches us that hospitals and medical service providers are prime targets for the regime and its supporters. However, any critical infrastructure is a potential target, and now we have examples of Programmable Logic Controllers being attacked.”

Cyberwarfare Levels the Playing Field—and America Isn’t Ready

Chipman wasn’t alone in offering such a stark assessment of the situation. Nor should the intelligence community report be surprising. Since President Donald Trump returned to the White House in January 2025, there have been complaints that his administration has not devoted enough resources to cybersecurity.

In some ways, this is almost to be expected. The threat from a cyberattack isn’t readily apparent, and the need for cyber experts within the government doesn’t fit the Department of Defense’s new focus on a “warrior ethos” that calls for warfighters who can run, jump, and fight through traditional means.

At the same time, many of America’s greatest potential foes have embraced how cyber levels the playing field. This isn’t limited to China and Russia.

North Korea and Iran understand fully how they can never defeat the United States on the conventional battlefield. Still, cyber is a domain where they can inflict as much, and arguably more, damage. That’s because even as the Islamic Republic embraces cyber warfare, it is a less connected country. In contrast, the United States is a wired and unwired collection of networks that are increasingly protected.

The old danger of “barbarians at the gate” no longer matters in the 21st century, because the traditional walls have already been breached.

Why Industrial Control Systems Matter

What makes this latest warning from CISA, the FBI, and the NSA especially noteworthy is that it suggests Iranian hackers have a very specific target: programmable logic controllers, which are a critical part of ICS devices. These serve as the specialized “brains” of modern automation, essential for regulating complex processes, ensuring manufacturing accuracy, and maintaining safety by monitoring inputs and controlling output devices in real time.

The malicious hacking of a PLC can be especially dangerous, as controllers serve as the direct digital interface to physical industrial processes. A rough analogue to this process took place within Iran itself nearly two decades ago, when the “Stuxnet” worm hacked Iranian uranium enrichment centrifuges, causing them to spin out of control and physically tear themselves apart.

In that instance, there was no damage to Iranian civilian infrastructure. However, a breach of the PLCs embedded in US civilian infrastructure could directly result in physical destruction, environmental disasters, or safety hazards. PLCs manage crucial infrastructure, including water treatment plants, nuclear power plants, and factories, making them high-value targets for malicious actors seeking to cause widespread disruption or economic damage. 

“ICS security matters because it underpins physical operations so that a compromise can mean real-world disruption, not just data loss,” Sunil Gottumukkala, CEO of cybersecurity provider Averlon, told The National Interest. “Many of the systems being targeted were never designed to be secured or updated at the pace modern threats require, and they still rely on legacy infrastructure where monitoring is limited, and patching isn’t always feasible without operational impact.

Gottumukkala observed that even when these systems aren’t directly exposed, they’re often connected through upstream systems, remote access, or vendor pathways that attackers can leverage as part of a broader attack chain.

US Critical Infrastructure Isn’t Secure Enough

“The targeted disruption of US water and energy utilities is the inevitable outcome of treating critical national infrastructure like a public Wi-Fi hotspot,” said Damon Small, board of directors at cybersecurity provider Xcape, Inc.

Small told The National Interest that by leveraging legitimate engineering tools like Rockwell’s Studio 5000 to manipulate project files, Iranian-linked actors have demonstrated that an Internet-exposed PLC is not a poor technical design—it is a pre-staged kinetic weapon.

It is therefore crucial that security leaders acknowledge that these “nuisance” disruptions are live-fire exercises for more catastrophic escalations that exist entirely outside the bounds of diplomatic ceasefires.

“The primary business risk has shifted from simple uptime to the physical safety of the communities these utilities serve,” Small said.

The problem is also likely to get worse.

“As threat activity increases and AI accelerates reconnaissance and exploit development, the response window continues to shrink while the ability to safely respond remains constrained,” suggested Gottumukkala.

The threat to PLCs isn’t new, but it has arguably been ignored or at least not taken as seriously as it should have been. Past breaches were treated as vandalism or political messaging, rather than serious threats to the safety of Americans.

“When CyberAv3ngers hit Unitronics PLCs back in 2023, it looked like hacktivism,” Denis Calderone, CTO at cybersecurity provider Suzu Labs, told The National Interest. “They put political messages on water system displays and moved on.”

Suzu Labs had warned last month that organizations in energy, water, and government should be actively hunting for pre-positioned access.

“The prescriptive advice here is straightforward. PLCs should never be directly accessible from the internet, period,” Calderone said—noting that the advisory simply confirms that the attackers are connecting to Internet-exposed devices using overseas IP addresses.

All of the experts warn that Internet isolation alone isn’t enough.

“Controllers and SCADA infrastructure should sit behind properly segmented OT network zones with monitored firewall boundaries between IT and OT environments,” said Calderone.

The threat also won’t go away even when Operation Epic Fury is finally concluded, and if the peace lasts.

“In short, the cease-fire will not stop our adversaries from attacking the United States’ critical infrastructure, and this will lead to the unavailability of these services, or worse, to incidents that lead to loss of life and limb,” Small said. “If your water treatment plant or refinery is searchable on the Internet, you are not running a utility; you are hosting a digital sandbox for the IRGC.”

About the Author: Peter Suciu

Peter Suciu has contributed to dozens of newspapers, magazines and websites over a 30-year career in journalism. He regularly writes about military hardware, firearms history, cybersecurity, politics, and international affairs. Peter is also a contributing writer for Forbes and Clearance Jobs. He is based in Michigan. You can follow him on Twitter: @PeterSuciu. You can email the author: Editor@nationalinterest.org.

The post Iran Planning Cyberattack on US Infrastructure, Intelligence Community Warns appeared first on The National Interest.