The Industrial Control System Pattern Is Visible Again. The Iranian Programs Are The Most Likely Source.

The Resurfacing And What It Indicates

Industrial control system reconnaissance activity has resurfaced across U.S. water and energy distribution operators in the trailing ten days. The tradecraft signatures, as observed in the available defender telemetry, are consistent with Iranian-affiliated programs that have been on operational standby through the first quarter and have now returned to active reconnaissance posture. The resurfacing is the signal that this column has been preparing readers for since the late January coverage of the Iranian cyber recalibration.

I am withholding the specific affected operators, the specific control-system platforms the activity has targeted, and the precise tradecraft signatures the defenders are using to identify the operator's footprint. The disclosure cycle for this category of activity, in coordination with the Cybersecurity and Infrastructure Security Agency and with the affected critical infrastructure sector coordinating councils, is in motion. Public naming at this stage would compromise the coordination and the affected operators' remediation work.

The Target Profile

The target profile across the trailing ten days concentrates on mid-tier water distribution operators in three regions, on electric distribution cooperatives in two regions, and on natural gas distribution operators whose service territory includes population centers of substantial size. The selection pattern is consistent with an Iranian-affiliated program's documented interest in U.S. critical infrastructure verticals whose disruption would produce widely visible consequences. The interest is not new. The active reconnaissance posture, after the standby period, is the new development.

The selectivity within the target profile is informative. The operator clusters are not casting a broad net. The clusters are working specific operator categories whose control-system architecture has, in prior FBI and CISA advisory cycles, been characterized as exposed to the kinds of tradecraft signatures the current activity is exhibiting. The clusters are following the published advisory architecture in reverse: identifying the operators most likely to have the configurations the advisories warned against, and probing those operators preferentially.

The Tradecraft Signatures

The tradecraft signatures across the current activity include several reproducible patterns that defenders with the right telemetry vantage can identify. Internet-exposed Automatic Tank Gauge interfaces on fuel storage infrastructure being probed for the specific configuration patterns that prior advisory cycles characterized. Programmable Logic Controller management interfaces being scanned for the categories of misconfiguration that the FBI's April 2026 industrial advisory cycle warned against. Human-Machine Interface platforms being enumerated for the patterns that would allow project-file manipulation and display data alteration.

The combination of these three signatures, occurring in the same operator-cluster activity windows, is the combination Iranian-affiliated programs have shown in their documented prior campaigns. The combination is also the combination the FBI's industrial advisory cycle has explicitly described in unclassified form. The activity is not new in its categorical sense. The activity is, in its current scale and tempo, new in its operational sense.

The Defensive Read

The defensive read for the next ten days requires three actions for any U.S. operator in the water, electric, or natural gas distribution categories. Audit your internet-exposed industrial control system interfaces against the FBI advisory architecture. Disable any interfaces that are exposed without authentication, behind weak authentication, or in configurations that do not match the advisory's hardened-baseline guidance. The advisory architecture has been public for over a year. The operators in scope are the operators whose remediation against the architecture has been incomplete.

The questions to ask your operations technology team this week. Do you have an inventory of internet-exposed industrial control interfaces on your distribution network, refreshed within the trailing 30 days? Are any of those interfaces operating without authentication, with default authentication, or with authentication that does not meet the FBI advisory's recommended posture? Have you tested your incident response procedures against an industrial control system incident in the trailing 90 days? Each question is a confirmation that produces a defensive posture appropriate to the threat the current activity represents.

What I Will Not Publish

I will not publish the specific operator categories affected. I will not publish the specific control system platforms the activity has targeted. I will not publish the precise tradecraft signatures defenders are using to identify the operator's footprint. I will not publish the indicators of compromise at IOC-grade specificity. The discipline of the withholding is the discipline that prevents the column from accelerating the operator's pivot to alternative targets within the same vertical.

The discipline also serves the affected operators directly. The operators whose configurations are most exposed are now in the remediation work that the activity is forcing. The remediation work benefits from the operator believing that the affected configurations are not yet identified publicly. The corresponding defensive posture in the broader vertical does not require the specific identification.

The Attribution Posture

I am calling the current activity Iranian-affiliated with high confidence. The basis for the confidence is the tradecraft signature consistency with prior documented Iranian campaigns, the targeting selectivity that maps to documented Iranian collection and disruption requirements, and the timing of the resurfacing relative to the broader Iranian cyber recalibration that the intelligence community has been tracking since late January. The attribution is consistent with the Iranian-affiliated cluster activity the FBI has characterized in its industrial advisory cycle.

What I will not name at this stage is the specific operator cluster. The cluster identification work will benefit from the additional artifacts that the disclosure cycle is producing. The defensive guidance does not depend on the cluster being named. The defensive guidance depends on operators in the affected verticals running the defensive playbook against their own configurations on the timeline the activity demands.

What To Expect

The Cybersecurity and Infrastructure Security Agency advisory cycle, in coordination with the FBI, is expected to produce sector-specific guidance within the next several business days. The guidance will not name the operator cluster. The guidance will identify the categories of configuration that operators in the affected verticals should audit and remediate. The advisory will, on the cadence pattern this column has observed across prior similar episodes, generate the public reporting that anchors the broader defender community's response.

The defenders who acted on the framing in this column will be ahead of the cycle by the margin that matters. The defenders who waited will be reading the advisory and reacting under the pressure that retroactive analysis always produces. The activity has been ongoing for longer than the public reporting suggests. The cluster has a designator. It does not yet have a press release. By the time it does, your incident response team should already know what to do. Track the activity, not the artifact.