Critical Infrastructure

Iran, Russia and China Are Targeting Water Systems With Default Passwords

The attack method is not sophisticated. Operators at water and wastewater facilities are leaving programmable logic controllers exposed to the internet, running on default credentials, sitting on flat networks with no meaningful segmentation. Iran, Russia and China have noticed.

CISA has confirmed in multiple advisories that state-linked threat actors are actively exploiting these conditions against water infrastructure. In a November 2023 advisory, CISA attributed specific PLC attacks to actors affiliated with Iran’s Islamic Revolutionary Guard Corps, who compromised internet-exposed Unitronics Vision Series controllers across water and other sectors by entering the manufacturer’s default password. The advisory is unambiguous, “In a few cases, this activity has resulted in operational disruption and financial loss.”

Dark Reading reported in February 2024 that Russian and Chinese actors have pursued similar objectives against water systems with exposed operational technology devices and poor network segmentation serving as the common thread across incidents. No zero-days required. No custom malware. Just credentials that were never changed.

Why Water Infrastructure Is This Exposed

PLCs in water facilities were designed for reliability and operator access, not for internet exposure. Many of these devices predate modern security practices and were installed before remote access became routine. When facilities shifted to remote monitoring especially during and after the pandemic, OT systems that were never meant to face the internet ended up exactly there, often without compensating controls.

Dragos, which tracks OT threats across industrial sectors, has documented the structural problem repeatedly, water utilities run lean IT and OT teams, procurement cycles for critical hardware stretch across decades and patching legacy control systems carries genuine operational risk. A treatment plant cannot take a SCADA system offline for a patch window the way a corporate IT team patches a server.

TXOne Networks, which focuses on OT security, identifies the same cluster of vulnerabilities across water sector incidents, default credentials unchanged at installation, remote access enabled without MFA and engineering workstations that bridge the IT and OT network. Each of those conditions individually is a problem. All three together is an open door.

Rhode Island’s Six Incidents in Six Years

The scale of exposure is not theoretical. According to Dark Reading’s reporting, municipal water facilities in Rhode Island logged 6 cyberattacks over six years including incidents at a large wastewater utility. The figure comes from a single state with a limited number of facilities. It is not a national dataset and I would not treat it as representative of a wider rate without a larger source. But 6 incidents at one state’s water systems is a specific, verifiable data point and it is not reassuring.

Senator Sheldon Whitehouse raised the issue before the Senate Committee on Environment and Public Works in early 2026, framing water system cyber threats as an urgent national security concern. Congressional attention at that level usually follows confirmed incidents, not hypothetical risk.

The Attribution Question

CISA’s November 2023 advisory naming IRGC-affiliated actors is the most solid attribution on record for water sector attacks. It is grounded in incident response data and corroborated by the FBI and NSA. The broader framing that Russia and China are pursuing the same targets is analytically credible, consistent with each country’s known interest in pre-positioning inside critical infrastructure but the evidentiary standard for those attributions is lower than the IRGC case. Treat the CISA advisory as confirmed. Treat the wider nation-state framing as assessed, not proven.

What is not in dispute is the objective. Disrupting water treatment, wastewater processing or distribution systems causes immediate public health consequences. That makes water infrastructure a high-value target for any actor interested in coercive leverage over a population, whether in a conflict scenario or as a standing threat.

The Nordic Position

No specific Swedish, Norwegian, Finnish or Danish water facility has been named in the source data reviewed for this article. I will not invent one. What is accurate is that Nordic water utilities operate the same categories of OT hardware, face the same remote-access pressures and fall within scope of the same threat actors that CISA has documented targeting Western infrastructure.

Sweden’s NIS2 implementation, Cybersäkerhetslagen which entered into force on 15 January 2026, places water and wastewater operators in scope as essential entities under MSB supervision. The law requires documented risk assessments, network segmentation controls and incident reporting within 24 hours of becoming aware of a significant incident. Whether Swedish operators have completed that groundwork is a question their supervisory authority will eventually answer with enforcement actions rather than questionnaires.

Three Controls That Close the Largest Gaps

CISA’s advisory on IRGC PLC exploitation is explicit about what works. These are not aspirational security goals. They are the controls that would have stopped the documented attacks.

  1. Change default credentials on every PLC and OT device. The Unitronics attack used the manufacturer default. If your inventory audit cannot confirm every device has a unique, strong password, start there today.
  2. Remove direct internet exposure from PLCs and SCADA systems. If remote access is operationally necessary, route it through a VPN with MFA enforced at the gateway. An internet-facing HMI is not a remote access solution. It is a vulnerability.
  3. Segment OT networks from IT networks. A compromised engineering workstation should not have a routable path to treatment control systems. If it does, that is the fix to prioritise before any other investment.

CISA’s full advisory, AA23-335A, includes specific indicators of compromise tied to the IRGC Unitronics campaign and is linked in the references below. Any water or wastewater operator that has not read it should do so before the next board meeting, not after.

References

  1. IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors
  2. Iran, Russia, China Target Water Systems for Sabotage
  3. Iranian Threat Actors Target US Critical Infrastructure via Exposed PLCs
  4. CISA Alerts OT/ICS Operators of Ongoing Cyber Threats to Water and Wastewater Systems
  5. Whitehouse Highlights Urgent Cyber Threats to US Water Systems
  6. Protecting Water Infrastructure from OT Cyber Threats
  7. Cyber Threats to Water and Wastewater Sector

This post is also available in: Svenska

Per Häggdahl

Per Häggdahl is Head of Business Unit and CISO at eBuilder Security, with more than 20 years securing systems for banks, central banks, stock exchanges and central securities depositories, now leading the team that brings that same enterprise-grade protection to organisations of every size.