Dive Brief:
- Hackers “affiliated” with Iran have been targeting programmable logic controllers, or PLCs, used in critical sectors including power grid operations, the U.S. Cybersecurity and Infrastructure Security Agency warned in an advisory Tuesday. The advisory went out to the energy sector, along with water and wastewater and government services and facilities sectors, as the U.S.-Israeli war against Iran entered its sixth week.
- CISA said the hackers were “conducting exploitation activity” targeting operational technology including PLCs leading to “disruptions” of the controllers “across several U.S. critical infrastructure sectors.”
- The North American Electric Reliability Corp. said it is “actively monitoring the grid” and is coordinating with the U.S. Department of Energy and the Electricity Subsector Coordinating Council. A ceasefire announced after the advisory went out appeared to be holding early Wednesday, but the outcome of negotiations remains uncertain.
Dive Insight:
“Iranian-affiliated [advanced persistent threat] targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities,” CISA said.
Hackers disrupted PLCs through “malicious interactions” with software and configuration settings, and by manipulating data on human machine interface and supervisory control and data acquisition displays, “resulting in operational disruption and financial loss,” the advisory said, without providing details about the target or targets.
The agency, which sits within the Department of Homeland Security and coordinates critical infrastructure security and resilience, said U.S. organizations should “urgently review” tactics hackers may use to compromise the controllers and warning signs that a system has been compromised.
CISA’s security advisory was jointly issued with other federal entities, including the National Security Agency and DOE. It did not say what sectors had experienced disruptions.
The alert was issued as tensions between Iran and the U.S. escalated ahead of a Tuesday evening deadline set by President Donald Trump, who threatened to bomb Iranian power plants and other civilian infrastructure.
Electric utilities are on high alert, but maintain this is familiar territory, according to the Edison Electric Institute, a trade group representing investor-owned utilities.
"The threat of cyber and physical attacks targeting critical infrastructure is not new,” Jennifer DeCesaro, senior vice president of industry operations at EEI, said in an email to Utility Dive.
The group partners with the government through the Electricity Subsector Coordinating Council “to share actionable intelligence and prepare to respond to incidents that could affect our ability to provide electricity safely and reliably,” she said.
NERC also sent a warning to members of the Electricity Information Sharing and Analysis Center, which primarily includes North American electricity and natural gas industry asset owners and operators.
The alert “amplifies the U.S. government advisory and encourages industry vigilance and the lowering of thresholds for sharing of suspicious cyber or physical security activity,” Kimberly Mielcarek, NERC vice president of corporate and external communications, told Utility Dive.
“Our Watch Operations team is actively monitoring the grid, while we continue to coordinate closely with the Department of Energy, the Electricity Subsector Coordinating Council, and our federal and provincial partners,” she said.
PLCs are “critical for grid automation,” particularly in distribution and generation, Joe Saunders, CEO of RunSafe Security, said in an email. The company provides embedded software security for critical infrastructure.
About 50% to 80% of U.S. grid control endpoints rely on PLCs, he noted.
“They are often used for substation automation, managing distributed energy resources, and balancing plant controls for generation — and as a result, PLCs are essential for maintaining a resilient grid,” Saunders said. “If PLCs were compromised, power generation could shut down and distribution networks could shutdown.”
CISA’s advisory singled out a brand of PLC manufactured by Rockwell Automation, but said others could be impacted.
A Rockwell spokesperson told Utility Dive that it “takes seriously the security of its products and solutions and has been closely coordinating with government agencies” in connection with the joint cybersecurity advisory. The company has published advisories with “recommendations for how customers can strengthen the security of their operational technology deployments.”
CISA’s advisory “should be a wake-up call for anyone who thinks this threat is contained,” Brad LaPorte, chief marketing officer at endpoint security firm Morphisec, told Utility Dive.
There are somewhere between 600,000 and 2 million PLCs deployed across U.S. critical infrastructure, LaPorte said.
“Many of these systems run on legacy operating systems that were never designed with today’s threat environment in mind,” he said.
The two-week ceasefire in Iran is an opportunity for utilities to scrutinize their systems for vulnerabilities, ReversingLabs Chief Trust Officer Saša Zdjelar told Utility Dive.
“For anyone in critical infrastructure or supporting U.S. government and defense, this is the time to take a hard look at operational resilience and what it actually takes to keep running when you can't fully trust what's already in your environment,” Zdjelar said.
