Critical Infrastructure Under Siege

The valves that regulate chlorine levels in a municipal water supply. The relay switches on a transmission line serving a major metro grid. The programmable controllers governing pressure in a regional gas pipeline. These are the systems now in the crosshairs of Iranian-affiliated cyber actors, and according to a joint advisory issued April 7, 2026, by six U.S. federal agencies, the attacks are no longer theoretical. They are underway.

CISA Advisory AA26-097A, co-signed by the FBI, NSA, EPA, Department of Energy, and U.S. Cyber Command, confirms that Iranian-linked threat actors are actively exploiting internet-connected programmable logic controllers (PLCs) — specifically Rockwell Automation/Allen-Bradley systems — across U.S. critical infrastructure. Targeted sectors include water and wastewater systems, energy, and government facilities. The advisory documents actual operational disruptions and financial losses at victim organizations.

For security integrators and consultants serving utilities, municipalities, transportation authorities, and even manufacturing clients, the advisory represents a hard stop. The question of whether OT security falls within their scope has been answered.

A Problem Built Over Decades

To understand why this moment arrived, security technology and management consultant Pierre Bourgeix, founder of ESI Convergent and one of the country’s foremost OT security consultants, traces the exposure back to a decade of connectivity decisions made without commensurate security investment.

“As we have connected a lot of OT infrastructure in the last 10 years, what we’ve now connected are devices that do not have the technology to secure themselves,” Bourgeix explains. “There are hundreds of millions of connected devices where, in the day, they were not. Over time we started connecting them because the requirements shifted. These systems are in scope now — you have to know if they’re online, if they’re high, low, on, off, disabled.”

The mandate came partly from government. Around 2018, the Government Accountability Office directed that all pipeline systems be connected to enable visibility and oversight. The intent was legitimate; however, the execution left critical systems exposed in ways that were predictable to those paying attention. Bourgeix wrote about the risk at the time, before the Colonial Pipeline attack made headlines, making the vulnerability undeniable.

COVID accelerated the exposure further. When facility operators had to manage industrial systems remotely, they connected those systems to the cloud without establishing the security architecture to protect those connections.

“What that has led to is even more attacks,” Bourgeix says, “because we haven’t secured those connections and communication systems, nor have we secured the actual connector.”

What a PLC Actually Does, and Why It Matters

The term “operational technology” can obscure the physical reality at stake. PLCs are the switches that, among hundreds of functions, regulate flow valves in a water treatment facility, control transmission lines and transformers in a power grid, and manage ingredient ratios in a food manufacturing process. Their function is binary at the core — open and close, on and off — but the downstream consequences of unauthorized manipulation are not.

“If we put too much chlorine in water, it could kill people,” Bourgeix says flatly. “So it’s everything. If you turn on your water, the things that support it are what causes this problem.”

In an energy environment, the stakes scale even further. A compromised switch in a transmission network can trigger what Bourgeix calls a cascading effect — a chain reaction that takes out an entire regional power grid. Restoration requires days, not hours. Most energy companies lack the compensating controls and backup redundancy to recover quickly, and building that resilience costs millions.

The transit sector carries its own risks. The switching systems that route subway and rail traffic are embedded in the same OT environment. A manipulated signal switch is a collision waiting to happen.

The IT/OT Boundary: Where the Exposure Lives

OT environments operate in a fundamentally different security architecture than IT systems. In IT, decades of open-standard development have produced a mature protection stack — layers three through seven in network architecture terms, with established tools from vendors like Juniper and a well-understood security model.

In OT and SCADA environments, the equivalent stack (layers zero through three) is proprietary, fragmented, and far less mature.

“There are over 74 different types of PLC and SCADA control systems, and they’re all closed systems,” Bourgeix notes. “They don’t talk to each other. We can’t add security components without those vendors being part of it.”

Each manufacturer — Rockwell, Siemens, Schneider Electric, and dozens of others — has built its own security model. Each carries its own vulnerabilities, and each requires its own patching cadence.

CISA has issued hundreds of vulnerability advisories for Siemens PLC controllers alone. Legacy code running on aging hardware compounds the problem. When IT departments inherit responsibility for OT systems, the result is rarely good.

“IT looks at OT going, ‘this is simple,’” Bourgeix says. “But isn’t simple, because it’s connected to high-availability systems that are very secure and need to be protected. A lot of those systems are old. And old code on old computers means vulnerabilities.”

The nominal separation between OT and IT — the DMZ, the firewall, the airgap — erodes in practice. Dual-hatted personnel who work across both OT and IT environments become potential attack vectors. Service technicians who dial in to repair an isolated system create a connection point, and any data traveling from a PLC through a DMZ to a dashboard creates a channel that a sophisticated attacker can exploit through a man-in-the-middle or side-channel approach.

Aras Nazarovas, Senior Information Security Researcher at Cybernews, describes the core vulnerability plainly: “OT environments often don’t have the same security controls as IT systems; instead, they rely much more on physical security and isolation. These systems are built to stay active 24/7, so a lot of standard protections like encryption or strong authentication aren’t always in place. In some cases, traffic is unencrypted for simplicity, and default passwords are still used.”

Nation-State Actors: The Long Game

The Iranian campaign did not materialize from nothing. The groundwork was laid over years, by multiple state-sponsored actors probing and pre-positioning inside U.S. critical infrastructure.

Volt Typhoon — a Chinese state-supported cyber operation also known by the designations Vanguard Panda, Bronze Silhouette, and Voltzite, among others — spent years compromising thousands of internet-connected devices across U.S. aviation, water, energy, and transportation networks.

Western intelligence officials and CISA confirmed that Volt Typhoon’s goal was pre-positioning: establishing persistent access that could be activated to disrupt critical communications infrastructure during a future conflict.

CISA director Jen Easterly told Congress that agency teams found and eradicated Chinese intrusions across multiple critical infrastructure sectors. The hackers had maintained that access for approximately five years. Bourgeix connects the dots directly. “We knew they were already in. We think Volt Typhoon was part of it. This was not something people weren’t aware of for the last 10 months.”

The Iranian actors named in AA26-097A — operating as CyberAv3ngers under the IRGC’s Cyber Electronic Command — have been active since at least 2023. A prior CISA advisory from December 2023 documented the same group targeting U.S. PLCs across multiple sectors including water and wastewater systems. The current campaign is an escalation, not an inauguration.

“Nation-state syndicates are organizations hired to create these vulnerabilities,” Bourgeix says. “They go to work every day. They share what they’ve done and piggyback onto each other’s effects. The misnomer is that this is a guy in his underwear in a basement. These guys all work for a living.”

Iran, he notes, learned from being a victim. The Stuxnet attack on Iranian centrifuges — widely attributed to U.S. and Israeli intelligence — gave Iranian actors a detailed education in OT vulnerability. They absorbed those lessons. They built relationships with Chinese and North Korean hacking syndicates. They waited.

What a Competent Response Looks Like

When the AA26-097A advisory dropped, Bourgeix’s immediate protocol was triage. “The first thing we do is assess the client’s systems if we haven’t already,” he explains. “We evaluate every automated control system — not just Rockwell and Siemens, but all of them — and look at what vulnerabilities have been identified in the last year that should have been patched or changed.”

That assessment drives the next phase: isolation and quarantine of affected or at-risk systems, evaluation of the kill chain to understand where and how an intrusion may have progressed, and a determination of what can safely be taken offline vs. what must remain operational. For systems that cannot be shut down, Bourgeix’s team implements immediate communication controls — temporarily halting any traffic from inside the OT environment to the outside while the vulnerability is being evaluated.

The hardest truth in OT incident response is that a simple patch rarely resolves the problem. “You can’t just roll out a patch,” Bourgeix says. “Especially in OT infrastructure, because you’re dealing with so many different layers. You’re shutting down, isolating, triaging, repairing, then mitigating the root problem so you can get back up and running.”

Validation after remediation requires testing in a sandboxed environment — a duplicate of the production system that can absorb a patch test without risking operational continuity. “Most organizations don’t have sandboxes of their own,” Bourgeix acknowledges. “The first thing I would do is build one within an organization that mimics how their system is working. You have to test and validate that your fix actually solves the problem before it touches the live system.”

He also warns against assuming that isolation equals safety. “If one of the systems has already been penetrated, something may be lying in wait that could attack another system from within. Anything interconnected has to be evaluated.”

The Integrator’s Role: Larger Than They Think

Most security integrators working in industrial, utility, or municipal environments have not positioned themselves as OT security advisors. That positioning needs to change.

Bourgeix is direct about the risk of deploying physical security technology into an OT environment without understanding the architecture. “If you’re dealing with work within OT infrastructure and there are vulnerabilities that could arise if you deploy cameras incorrectly — or if you don’t understand the cloud vs. hybrid environment — then you are potentially risking your client’s security.”

Camera systems, access control, sensor networks, fence detection — all of these, when deployed inside an OT environment, become part of that environment’s attack surface. An integrator who installs a cloud-connected camera system in a utility substation without understanding the network segmentation model may have created an entry point.

The architecture question extends to the choice between cloud, on-premises, and hybrid deployments. Bourgeix describes working with an energy company that wanted to move toward cloud-based management. His counsel was precise: bidirectional cloud communication inside an OT environment is dangerous. Outbound-only, directional communication to a DMZ domain controller — for visibility and alerting — can be done safely. The difference requires an understanding that the integrator sitting across the table often doesn’t have.

The path forward, Bourgeix argues, runs through the consultant relationship that too many integrators treat as adversarial. “Our biggest challenge right now with integrators is they treat consultants like they are their enemy,” he says. “If they started working with us instead of trying to design things they shouldn’t be designing, they would end up being more successful. They’d sell more because we’d be able to have these conversations with IT and OT together and build systems that are much more accurate and secure.”

The integrator who walks into a utility or manufacturing client’s office with OT architecture awareness — who understands segmentation, who knows what a PSP is in a SIP environment, who can speak to NERC governance alongside physical security technology — earns a seat at a different table. “They’d go, ‘You’ve done your due diligence; you understand our problems, and you are willing to work with us hand in hand,’” Bourgeix says. “That grows a relationship.”

The Board Problem

Underneath every underfunded, underprotected OT environment is a board of directors that never treated OT security as a budget priority. Bourgeix has been sounding that alarm for years. “If the board doesn’t understand the challenge and the problem, they’re the ones who prevent the money and the funding and the requirements.”

That is where integrators and consultants carry their most underutilized leverage. They are often the only outside voices in front of a board or senior leadership team with firsthand knowledge of the physical infrastructure at risk. The ability to connect an OT vulnerability to a business continuity failure — to translate “compromised PLC” into “regional grid outage lasting days, with no backup system in place” — is a conversation that changes budget allocations.

Nazarovas reinforces the foundational argument for making that case: “This is not just a one-off campaign — it’s a repeatable attack model. The same kind of attack can be repeated again and again until the systems are properly secured.”

The current Iranian campaign, whatever its geopolitical trajectory, has exposed the structural vulnerability of OT infrastructure to state-sponsored cyberattack. That exposure does not resolve with a ceasefire. It resolves with architecture, segmentation, governance, redundancy, and the kind of cross-disciplinary expertise that security integrators and consultants are positioned — when they are at their best — to deliver.

The Outcome Imperative

Bourgeix closes with a frame that will resonate with every integrator who has followed the industry’s evolution over the past decade. “That’s how you create value — showing the outcomes and the business problems. Because if you don’t, you’re simply seen as somebody who just hangs stuff. And if the stuff you hung becomes the problem, you’re probably not going to keep that customer.”

In OT security, the stakes for that calculus are higher than anywhere else in the integrator’s portfolio. Critical infrastructure has no tolerance for a mistake born of incomplete architecture knowledge or an eagerness to sell the wrong system. “In critical infrastructure, there isn’t a next day once you screw up,” Bourgeix says.

The integrators who build OT competency now — who develop the consultant relationships, learn the segmentation principles, understand the governance frameworks, shows up to client conversations with architecture awareness rather than product catalogs, and who treat this moment as a strategic inflection point — will define the next generation of the trusted advisor role in critical infrastructure.