⚠ Active Advisory: April 2026

Iranian Hackers Are Inside
U.S. Water Systems

Seven federal agencies issued an emergency advisory. Nation-state actors are actively compromising water treatment plants and energy grids right now.

Request Assessment Read the Advisory

The Threat Is Real. The Threat Is Now.

IRGC-affiliated actors operating under the persona "CyberAv3ngers" are actively compromising Unitronics Vision Series PLCs and HMIs used in water, wastewater, energy, food manufacturing, transportation, and healthcare. Victims span multiple U.S. states.

In November 2023, Iranian hackers breached the Aliquippa, Pennsylvania municipal water authority, gaining control of a booster pump station serving 15,000 residents. The attack was only stopped because an alarm triggered manually.

The government's recommendation? "Disconnect PLCs from the internet." In 2026. That's not a solution. That's an admission of failure.

"The United States has hundreds of fragmented electric companies. Hundreds of water companies. All separate. All running different systems. All with barely any cyber oversight, cyber enforcement, or penetration testing." — Nicolas Chaillan, Former Pentagon Chief Software Officer

Official Sources

CISA IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors — AA23-335A (Updated Dec. 2024) CISA Water and Wastewater Systems Sector Critical Infrastructure EPA Cybersecurity for the Water Sector

What We Found Across U.S. Critical Infrastructure

Verified by passive discovery. No active probing. No exploitation. The dataset refreshes daily.

Thousands

Exposed ICS Devices

Industrial control systems reachable from the public internet across the United States.

No Security Layer

Direct Internet Reach

Controlling pumps, valves, sensors, and remote sites with no firewall or VPN between the device and any attacker.

Online & Reactive

Responding Right Now

Live, in production, responding to identity queries from anywhere on the internet.

Controllable

Unauthenticated Commands

Running native control protocols that accept commands without authentication. Setpoint changes can be sent by anyone who can reach them.

Confirmed exposure types (representative)

Protocols We See in the Wild

EtherNet/IP, BACnet, Modbus, Fox / Niagara, Siemens S7, DNP3, OMRON FINS, and more. If your facility runs a PLC, an HMI, or a building management system, one of these protocols is involved.

Who Is At Risk?

If you operate industrial control systems, you are a target.

Water Treatment

Municipal water systems, wastewater facilities, and treatment plants are primary targets for nation-state actors.

Energy & Utilities

Electric utilities, natural gas pipelines, and power generation facilities face constant probing.

Manufacturing

Industrial facilities with PLCs and SCADA systems controlling critical processes.

Building Automation

HVAC, access control, and building management systems in critical facilities.

The AWIA Compliance Clock Is Running

Every community water system serving more than 3,300 people is required to complete a Risk and Resilience Assessment and Emergency Response Plan, recertified every 5 years to EPA. Cybersecurity is an explicitly required component.

Systems > 50,000 population

June 30, 2026. Recertification deadline. Past this date, EPA can issue enforcement orders and civil penalties for non-compliance.

Systems 3,300 - 49,999

Rolling 2026-2027 deadlines based on system size tier. Get audited before you get noticed.

Systems < 3,300

AWIA does not require formal recertification, but state regulators and insurers increasingly cite CISA Performance Goals as the standard of care.

CISA Cross-Sector Goals

Voluntary baseline today. State PUCs and cyber insurance underwriters now ask about compliance during renewal. Failure to align affects coverage and rates.

Verify These Requirements Yourself

EPA AWIA Section 2013 - Community Water System Risk and Resilience Assessments CISA Cross-Sector Cybersecurity Performance Goals EPA Enforcement Alert: Cybersecurity Risks at Community Water Systems (May 2024)

Recent Incidents You Can Verify

Documented attacks against U.S. water and wastewater systems. Public reporting from CISA, FBI, and the affected utilities.

Aliquippa, Pennsylvania - Nov 2023

CyberAv3ngers (Iranian IRGC) compromised the Municipal Water Authority's Unitronics PLC controlling a booster pump station. Operators caught the intrusion only because of a manually-investigated alarm.

Muleshoe, Texas - Jan 2024

Water tank overflowed after attackers manipulated SCADA systems at a small Texas community water utility. CyberArmyofRussia_Reborn claimed responsibility.

American Water Works - Oct 2024

Largest U.S. publicly-traded water utility took customer-facing systems offline after a confirmed cybersecurity incident. Operations continued; investigation ongoing.

Our Assessment Process

A comprehensive 2-week threat hunt. Zero operational impact.

1

Discovery

Full inventory of PLCs, RTUs, HMIs, SCADA. Network mapping and internet exposure check.

2

Monitoring

Passive network capture of ICS protocols. Baseline normal behavior. No operational impact.

3

Threat Hunt

Search for Iranian IOCs, unauthorized access, anomalous commands, after-hours activity.

4

Report

Executive summary, technical findings, prioritized remediation roadmap.

Federal Funding Covers Your Assessment

Your utility may qualify for grants that fully cover cybersecurity assessments. No operating budget required.

CWSRF / DWSRF Grants

Clean Water and Drinking Water State Revolving Funds include cybersecurity as an eligible expense. Typical awards: $500K to $2M per system. Your state SRF program administers applications.

FEMA HSGP

Homeland Security Grant Program funds cybersecurity for critical infrastructure. Awards range from $100K to $500K. Apply through your state emergency management agency.

SLCGP

State and Local Cybersecurity Grant Program: 80% of funds must flow to local governments. Specifically designed for entities like municipal water systems.

IIJA Bonus Funding Expires 2026

The Bipartisan Infrastructure Law allocated $55B for water infrastructure with enhanced cybersecurity provisions. Bonus funding rates expire at the end of 2026. After that, standard rates apply at significantly lower levels.

RedEye assists with grant applications at no additional cost. We help you identify eligible programs and prepare the paperwork.

Find Out If You Qualify

Assessment Pricing

Enterprise-grade security at prices that work for municipal budgets.

Small Facility

$18,500

Single-site assessment. 2 weeks. Full report with remediation roadmap. Ideal for water systems serving under 10,000 residents.

Full Assessment

$15K - $35K

Scales by site count and complexity. Multi-facility utilities, regional water authorities, energy operators. Includes compliance mapping.

Ongoing Monitoring

$5K - $12K/mo

Continuous passive monitoring. Real-time alerting. Monthly threat reports. Dedicated support. Mostly automated, minimal overhead.

Protect Your Community's Water

Free scoping call. We'll assess your exposure, identify applicable grants, and show you exactly what an assessment covers.

Schedule Free Scoping Call
Emailmatt@redeyesecurity.com
Address7115 Southpoint Pkwy Ste 5, Brentwood TN 37024