SITUATION REPORT
Listen up, operators — this is not a drill.
An Iranian-affiliated advanced persistent threat (APT) group has been actively exploiting internet-facing operational technology devices, including Rockwell Automation/Allen-Bradley programmable logic controllers, since at least March 2026.
This activity has led to PLC disruptions across several U.S. critical infrastructure sectors
— and the water and wastewater sector is explicitly named in the crosshairs.
The hackers are taking aim at devices and systems that control industrial processes and have harmed victims in the last month following the onset of U.S.-Israel strikes against Iran.
Some of the victims experienced operational disruption and financial loss.
If you have a PLC connected to the public internet, you needed to act yesterday. Today is your second chance.
The threat environment escalated sharply this week.
On April 7, 2026, six federal agencies — FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command — published Joint Advisory AA26-097A, which is the most significant multi-agency OT warning since the original CyberAv3ngers Unitronics campaign in late 2023.
Censys identified 5,219 internet-exposed hosts globally responding to EtherNet/IP and self-identifying as Rockwell Automation/Allen-Bradley devices, and nearly 3,900, or about 3 out of every 4, are based in the United States.
Meanwhile, WaterISAC has been running a TLP:AMBER+STRICT situation report on potential Iranian retaliation since early March, updated most recently on April 9, 2026. The message from every federal partner is the same: get your PLCs off the internet and harden your perimeter — now.
THREAT INTELLIGENCE — LEAD ITEM
🔴 CISA Joint Advisory AA26-097A: Iranian-Affiliated APT Actors Exploiting Rockwell/Allen-Bradley PLCs (April 7, 2026)
This is the lead item and it's a big one.
The authoring agencies assess that a group of Iranian-affiliated APT actors — linked to the IRGC Cyber Electronic Command (CEC) and previously tracked as CyberAv3ngers (also known as Shahid Kaveh Group, Storm-0784, Bauxite, UNC5691) — has been conducting targeted exploitation of internet-facing Rockwell Automation/Allen-Bradley PLCs since at least March 2026.
What They're Doing:
The attacks led to data manipulation on both the human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays.
The campaign targets exposed PLCs, such as Rockwell Automation and Allen-Bradley systems, resulting in confirmed operational disruptions, manipulation of HMI and SCADA data, and financial loss.
The advisory's emphasis on project files, display manipulation, and controller access suggests actors are interested in the control plane itself, not simply stealing data.
How They're Getting In:
Pioneer Kitten (Fox Kitten, Parisite, RUBIDIUM) continues to exploit known vulnerabilities in Pulse Secure VPN appliances — CVE-2019-11510 (CVSS 10.0) — Fortinet FortiOS SSL-VPN — CVE-2018-13379 (CVSS 9.8) — and Citrix ADC/Gateway — CVE-2019-19781.
VNC (771 service instances) represents direct remote desktop access to HMI workstations — precisely the vector described in AA26-097A for SCADA display manipulation. Telnet (280) is a cleartext legacy protocol with no place on internet-facing OT infrastructure.
Key IOC Intelligence:
CISA's seven 185.82.73.x IP addresses actually represent a single multi-homed Windows engineering workstation running the full Rockwell toolchain — not seven separate machines — hosted in AS214036 (ULTAHOST). Block the entire 185.82.73.0/24 range at your perimeter.
Sector Connection — Dragos BAUXITE:
Dragos tracks BAUXITE, a threat group with technical overlaps with CyberAv3ngers, as a Stage 2 ICS Cyber Kill Chain adversary capable of compromising PLCs.
Hacktivist groups increasingly blended ideological messaging with state-aligned operations, targeting internet-exposed HMIs, misconfigured engineering workstations, and open field protocols such as Modbus/TCP and DNP3.
CISA ICS ADVISORY ROUND-UP
CISA published multiple ICS advisories this reporting period. Here's what matters for water and wastewater operators:
1. ICSA-26-099-01 — Contemporary Controls BASC-20T (April 9, 2026)
CVE-2025-13926 affects the BASC-20T controller's web interface, allowing unauthenticated attackers to execute arbitrary code with root privileges. The vulnerability stems from improper input validation in the device's HTTP request handling.
CVSS: 9.8 (CRITICAL) —
Successful exploitation could allow an attacker to enumerate the functionality of each component associated with the PLC, reconfigure, rename, delete, perform file transfers, and make remote procedure calls.Water Sector Relevance: BACnet controllers are deployed in water treatment building automation and HVAC systems. This device is end-of-life — segment it or replace it.
2. ICSA-26-099-02 — GPL Odorizers GPL750 (April 9, 2026)
A low-privileged remote attacker can send Modbus packets to manipulate register values that are inputs to the odorant injection logic such that too much or too little odorant is injected into a gas line.
CVSS: 8.6 (HIGH) — Modbus missing authentication. While primarily a gas sector issue, this advisory is a textbook example of what happens when Modbus has no authentication — a lesson directly applicable to water sector SCADA using Modbus/TCP.
3. ICSA-26-097-01 — Mitsubishi Electric GENESIS64 & ICONICS Suite (April 7, 2026)
Affected products include GENESIS64 ≤10.97.3, ICONICS Suite ≤10.97.3, MobileHMI ≤10.97.3, Hyper Historian ≤10.97.3, and AnalytiX ≤10.97.3 (CVE-2025-14815, CVE-2025-14816).
CVE-2025-14815: When the local caching feature using SQLite is enabled and SQL authentication is used, SQL Server credentials are stored in plaintext within the local SQLite file.
Water Sector Relevance: GENESIS64/ICONICS products are used in SCADA/HMI environments across water utilities. A local attacker who obtains these credentials could disclose, tamper with, or destroy historian data and cause denial-of-service.
4. ICSA-26-092-01 — Siemens SICAM 8 Products (April 2, 2026)
CVE-2026-27663 is a medium-severity denial-of-service vulnerability (CVSS 6.5) caused by resource exhaustion under high request volumes. CVE-2026-27664 is a high-severity out-of-bounds write vulnerability (CVSS 7.5) exploitable through malicious input.
Water Sector Relevance: SICAM 8 products are deployed in power distribution at water treatment plants and pump stations. Update to version ≥26.10.
5. ICSA-25-037-02 — Schneider Electric EcoStruxure (Update D) (April 2, 2026)
EcoStruxure Operator Terminal Expert and Pro-face BLUE versions prior to v4.0 are affected. Version 4.0 includes a fix and is available for download.
Water Sector Relevance: EcoStruxure HMI terminals are widely deployed at water and wastewater facilities. Apply Update D.
REGULATORY PULSE
1. CIRCIA Final Rule — Town Halls Postponed, Final Rule Expected May 2026
Due to a lapse in appropriations for DHS, CISA will be unable to hold the CIRCIA town hall meetings as scheduled for March 9 through April 2, 2026.
CISA has delayed publication of its cyber incident reporting rule for critical infrastructure with the final rule now expected in May 2026.
CIRCIA will require critical infrastructure entities — including water and wastewater utilities — to report significant cyber incidents within 72 hours and ransom payments within 24 hours to CISA.
Operator Impact: The delay gives you time, but don't waste it. Stand up your incident reporting procedures now so you're not scrambling when the final rule drops.
2. SDWA Section 1433 — RRA/ERP Five-Year Recertification Deadlines Approaching
Systems serving 50,000 to 99,999 people are now in their five-year RRA and ERP recertification window, with specific deadlines set by EPA based on their original 2019–2020 certification dates.
Systems serving 3,301 to 49,999 people face a June 30, 2026, deadline for RRAs (and ERPs six months later).
Inspectors already examine cyber elements in RRAs/ERPs under SDWA Section 1433. Gaps like unchanged default passwords, shared logins, and no asset inventory have triggered findings.
Deadline Alert: If you serve 3,301–49,999 people, your RRA is due June 30, 2026 — less than 12 weeks away. Cyber must be in your assessment.
3. EPA Cybersecurity Alert — Heightened Posture for Iranian Threats (March 5, 2026)
EPA is urging water systems to maintain heightened vigilance against potential Iranian cyber activity and associated physical security threats. Iranian government-affiliated and aligned cyber actors have previously demonstrated the ability to exploit internet-exposed OT devices.
EPA's current guidance for enhancing security includes reducing operational technology exposure to the public-facing internet.
4. WaterISAC TLP: AMBER+STRICT Situation Report — Iranian Threat Environment (Updated April 9, 2026)
WaterISAC has been maintaining a rolling situation report on potential Iranian retaliation since early March, updated multiple times through April 9, 2026. WaterISAC members should review the latest update immediately.
🔗 WaterISAC Resource Center (member login required)
OPERATOR ACTION CHECKLIST
IMMEDIATE (This Week):
[ ] Audit all internet-facing OT devices. Scan for Rockwell/Allen-Bradley PLCs exposed on EtherNet/IP port 44818. If any PLC is internet-accessible, take it offline from the public internet today.
[ ] Block IOC IP range 185.82.73.0/24 at your perimeter firewall. Cross-reference all seven published IOC IPs from AA26-097A against your firewall and DNS logs for the past 90 days.
[ ] Disable VNC, Telnet, and Modbus/TCP on any internet-facing interfaces. These are confirmed attack vectors in the current campaign.
[ ] Patch VPN appliances — specifically Pulse Secure (CVE-2019-11510), Fortinet (CVE-2018-13379), and Citrix ADC/Gateway (CVE-2019-19781). These are the Pioneer Kitten initial access vectors being actively exploited.
[ ] Verify PLC project file integrity. Baseline your PLC configurations and compare against known-good backups. Any unauthorized logic modifications are indicators of compromise.
[ ] Review HMI/SCADA displays for evidence of data manipulation — changed setpoints, altered chemical dosing values, or unfamiliar screen modifications.
SHORT-TERM (Next 30 Days):
[ ] Segment your OT network. If your PLCs, HMIs, and SCADA servers are on the same flat network as your corporate IT, you are one compromised credential away from an operational disruption.
[ ] Update Mitsubishi GENESIS64/ICONICS Suite to version >10.97.3 to remediate CVE-2025-14815 and CVE-2025-14816 (plaintext SQL credential storage).
[ ] Update Siemens SICAM 8 products to version ≥26.10 to address CVE-2026-27663 and CVE-2026-27664.
Hold the line,
Jeff Farrell
Critical Infrastructure Analyst
Reinforcefy | The CIP Briefing
Disclaimer: The intelligence provided in The CIP Briefing by Reinforcefy LLC is for informational and educational purposes only. It does not constitute formal engineering, legal, or regulatory compliance advice. While this briefing translates federal mandates and threat intelligence into actionable strategies, every utility environment is unique. Facility operators and management are solely responsible for verifying the applicability of this intelligence and executing proper internal change-management protocols before implementing any network configurations, patches, or physical security modifications. Always consult with your internal engineering team, IT department, and legal counsel.