Is the next world war going to be fought in programmable logic controllers? While politicians posture about red lines and retaliatory strikes, a quieter, more insidious conflict is already underway. The real story here isn't the saber-rattling from Donald Trump – it’s the fact that Iran has demonstrably punched back, not with missiles aimed at cities, but with malware aimed at our water treatment plants and energy grids. This isn’t some future threat; US agencies are warning of active, disruptive attacks right now, and the implications for everyday Americans are far more immediate than geopolitical headlines suggest.
A joint advisory released Tuesday by the FBI, NSA, Department of Energy, and Cybersecurity and Infrastructure Security Agency confirms what cybersecurity firms have been tracking for months: Iranian-linked hackers are actively targeting industrial control systems (ICS) across the United States. These aren’t attempts to steal data – they’re attempts to break things. Specifically, they’re going after programmable logic controllers (PLCs), the digital brains that manage critical infrastructure like power plants, water facilities, and even some government operations. Think of a PLC like the thermostat in your house, but instead of controlling temperature, it controls pumps, valves, and switches that keep society functioning. Compromising those PLCs, as the advisory warns, can lead to system downtime, damage, and even dangerous conditions. While the extent of the “operational disruption and financial loss” remains undisclosed, the fact that it’s being acknowledged at all is deeply concerning.
Reporting from WIRED informs this analysis.
This isn’t a new tactic. Rob Lee, co-founder and CEO of Dragos, a firm specializing in ICS security, points out that Iranian actors have “well documented” interest in targeting these systems as a means of applying pressure. What’s changing is the sophistication and persistence of the attacks. The group most closely linked to the current campaign, known as CyberAv3ngers (or the Shahid Kaveh Group), initially gained notoriety for relatively low-level “hacktivism” – defacing systems with pro-Gaza imagery, like changing the names of Unitronics devices to “Gaza” and displaying their logo. But as Grant Geyer, Claroty’s chief strategy officer, explains, this was a smokescreen. The IRGC, Iran’s Revolutionary Guard Corps, recognized they couldn’t compete with the US on a traditional battlefield, so they turned to asymmetric warfare in the cyber domain.
The Unitronics attacks, while seemingly superficial, demonstrated a capability to deeply corrupt device code, disrupting water utility networks in the US, Israel, and even Ireland. This wasn’t just about making a statement; it was about proving they could disrupt critical services. And they’ve continued to refine their methods. Despite a $10 million bounty and sanctions against linked officials, CyberAv3ngers breached a US oil and gas company in 2024 and deployed malware called IOControl, designed to establish a persistent foothold in targeted systems. As Noam Moshe of Claroty noted last year, they weren’t just looking for immediate impact; they were planting the seeds for future disruption. They wanted options.
The escalation coincides with a dangerous moment in geopolitical tensions. The US Cyber Command has already publicly claimed responsibility for cyberattacks disabling Iranian defenses, and the rhetoric from President Trump is reaching a fever pitch. Meanwhile, another Iranian-linked group, Handala, is launching its own scattershot attacks, including a breach of medical technology firm Stryker and a hack of an FBI director’s personal email. Handala’s recent Telegram post – “Tonight, cyber and missile soldiers will fight side by side for one nation. We have a spectacular night ahead!” – isn’t just bravado. It’s a clear indication that Iran views cyber warfare as an integral part of its response. Rockwell Automation, a major PLC vendor targeted in the recent advisory, says it’s coordinating with government agencies and providing guidance to customers, but the onus ultimately falls on facility operators to secure their systems.
The uncomfortable truth is that our critical infrastructure is riddled with vulnerabilities, and the attackers are learning faster than we are. This isn’t a problem for cybersecurity professionals to solve in a vacuum; it’s a problem that will directly impact your access to clean water, reliable power, and essential services. The question isn’t if another successful attack will occur, but when, and whether we’ll be prepared for the cascading consequences. Watch for a surge in emergency funding allocated to ICS security upgrades in the coming months – and, more importantly, watch to see if that funding actually reaches the small and medium-sized water utilities and energy providers that are most vulnerable. Because if it doesn’t, the next disruption won’t just be disruptive; it will be devastating.
