Iran, Russia, and China Are Probing US Water Systems for Sabotage

Iran, Russia, and China are no longer just spying on water infrastructure. Threat groups tied to all three are actively probing, breaching, and in some cases manipulating the control systems that run US and allied water and wastewater utilities. The goal is shifting from intelligence collection to pre-positioning for sabotage, and the targets are the least defended operators in critical infrastructure.

The US has more than 150,000 public water systems. The vast majority are small, rural, and run by a handful of people. Many expose human-machine interfaces (HMIs) and programmable logic controllers (PLCs) directly to the internet, secured by nothing more than a vendor default password. That combination, low budget, flat networks, and exposed OT, is exactly what makes water the softest target in the sixteen critical infrastructure sectors.

Three actors, three motives

Iran-aligned groups, including the IRGC-linked CyberAv3ngers, have hit utilities running Israeli-made Unitronics PLCs, defacing HMIs and disrupting operations as politically motivated retaliation. Russia-aligned hacktivists have manipulated control systems at water and wastewater sites to cause tank overflows and pump malfunctions, treating utilities as cheap, high-visibility pressure points. China's Volt Typhoon is the most strategic of the three, quietly embedding in critical networks to hold access for a future conflict rather than to make noise today.

How they get in

None of this requires advanced exploits. The intrusions documented so far lean on the cheapest possible attack paths, which is what makes them repeatable at scale across thousands of small utilities.

• Internet-exposed HMIs and PLCs reachable by a simple Shodan-style scan
• Vendor default and factory-set passwords that were never changed
• Shared or reused credentials with no multi-factor authentication
• Remote access tools and VPNs left open for contractors and integrators
• Flat networks where IT and OT sit on the same segment with no separation

What sabotage actually looks like

Manipulating a water system does not require dramatic Hollywood code. An attacker with HMI access can alter chemical dosing setpoints, change pressure and flow, stop pumps, or trigger overflows. In the documented incidents, attackers proved they could reach and change these controls. Operational safeguards and manual oversight prevented public harm in the cases disclosed so far, but that margin depends on staff noticing fast, and most small utilities have no one watching the OT network at all.

What to do now

CISA and the EPA have issued repeated advisories, and the actions they call for are unglamorous and effective. If you operate, oversee, or support a water utility, these are the priorities.

• Get every HMI, PLC, and OT device off the public internet; if remote access is required, put it behind a VPN with MFA
• Change all default, shared, and factory-set credentials immediately and enforce strong unique passwords
• Segment IT from OT so a compromised business network cannot reach control systems
• Inventory internet-exposed assets using CISA's free scanning and Shields Up guidance
• Build and rehearse a manual-operations and incident-response plan so the plant can run if controls are lost

How RedEye helps water utilities close this exposure

Most small utilities already know they should pull OT off the public internet and change default passwords. What they lack is anyone on staff who can find every exposed device, prove the network is actually segmented, and document it for a board or a grant application. That is the gap RedEye Security closes. We run ICS security engagements built specifically for small and mid-size water systems, and the methodology is matched to the exact attack paths these three actors rely on.

• Passive, read-only assessment. We ship a hardened sensor that plugs into a monitoring SPAN port and watches traffic. It never sends a packet to your PLCs or HMIs, so there is zero operational risk to a live treatment process. Everything we learn, we learn by listening.
• Complete OT asset inventory. Over four weeks we identify every networked device, its firmware, its protocols, and anything communicating outside your perimeter, including the internet-exposed HMIs and contractor remote-access paths these actors hunt for.
• Compliance and grant mapping. Every finding is mapped to the AWIA Section 2013 requirement or CISA Performance Goal it addresses, and we identify the federal programs (EPA SECURE, DWSRF, CWSRF, FEMA HSGP) that can fund the work so the budget is not a blocker.

The first step is a free 30-minute scoping call with no obligation. If you want the full picture first, the engagement overview walks through every phase, timeline, deliverable, and the fixed price, and the 10-minute self-assessment gives you a baseline read on your current exposure.

The bottom line

Water is being treated by three separate nation-states as a soft underbelly of US critical infrastructure, and they are right that it is poorly defended. But the same low sophistication that makes these intrusions possible also makes them preventable. Utilities that close internet exposure, kill default credentials, and segment their networks remove the exact foothold every one of these actors depends on. The clock is running, and the cheapest fixes are the ones that matter most.