Exposed OT, Nation-State Access, and the Next Critical Infrastructure Crisis

Executive Overview

The cyber risk facing the US critical infrastructure has moved beyond the familiar language of data theft, ransomware, and IT network compromise. The more consequential concern now sits inside operational technology environments: water treatment systems, electric utilities, healthcare facilities, municipal infrastructure, industrial controllers, remote access gateways, and engineering workstations that directly support physical-world services.

Iranian and Chinese state-linked cyber actors are exploiting the same weakness from different strategic directions. Iranian-aligned groups are using exposed industrial systems for disruptive, politically visible operations. Chinese state-sponsored clusters are taking a quieter and more patient approach, using stealth, persistence, and pre-positioning to create future options during a geopolitical crisis.

As of April 2026, a joint advisory from the FBI, CISA, NSA, EPA, Department of Energy, and US Cyber Command confirmed that Iranian-affiliated APT actors are actively targeting internet-exposed PLCs across water, energy, and government facility sectors, with documented operational disruption and financial losses at victim organizations. 1

The shared enabler is not exotic malware or a rare zero-day vulnerability. It is a long-standing structural failure: too many OT systems remain reachable from the public internet, protected by weak authentication, outdated firmware, default credentials, incomplete segmentation, and limited monitoring.

This matters because operational technology is not simply another enterprise asset class. A compromised PLC, HMI, SCADA component, or engineering workstation can affect water pressure, treatment processes, grid operations, manufacturing output, emergency services, and public safety. When adversaries gain access to these environments, the risk is no longer limited to information exposure. It can become an operational disruption.

The current threat environment demands a shift in mindset. Critical infrastructure operators can no longer treat OT exposure as a technical hygiene issue waiting for the next maintenance cycle. It is now a national security risk, a public safety issue, and a board-level operational resilience priority.

Why Exposed OT Has Become a Strategic Target

Operational technology was not designed for the internet-facing world it now inhabits.

Industrial control systems were historically built for reliability, deterministic performance, and long equipment lifecycles. Security assumptions were different. Many systems operated in isolated environments where physical access, not remote intrusion, was considered the main risk. 

A 2025 analysis of publicly accessible OT environments found nearly 70,000 exposed OT devices globally, with notable concentrations in North America and Europe. Many of these systems exposed identifying details such as protocols, vendor information, and outdated firmware versions, reinforcing how reconnaissance against industrial assets can often begin without a sophisticated intrusion chain. 2 

Remote monitoring, vendor support, IT-OT convergence, cloud-connected management, staffing shortages, and post-pandemic remote access needs have expanded the external exposure of industrial environments. In many cases, this expansion happened faster than security governance could mature.

The ODNI's 2026 Annual Threat Assessment noted that Chinese APT actors such as Volt Typhoon and Salt Typhoon exhibit tactics and target selection that extend beyond traditional cyber espionage or intelligence-gathering operations. 3

For adversaries, this creates a low-friction entry point. They do not always need advanced intrusion chains. They can identify exposed devices, test credentials, exploit known vulnerabilities, abuse remote access paths, and move toward operational systems through trusted connections.

This is why internet-exposed OT is such an attractive target. It combines high operational impact with inconsistent security maturity.

The Iranian Model: Disruption, Signaling, and Opportunistic OT Abuse

Iranian-aligned cyber activity against OT environments is best understood through the lens of disruption and political signaling.

Groups associated with Iran’s Islamic Revolutionary Guard Corps and aligned hacktivist brands have repeatedly shown interest in critical infrastructure systems that create visible public impact. Water utilities, municipal systems, healthcare facilities, and energy-related environments are especially attractive because disruption in these sectors can generate fear, media attention, and political messaging disproportionate to the technical complexity of the attack.

The CyberAv3ngers activity against internet-exposed industrial control systems illustrates this model. The group’s operations have focused heavily on vulnerable PLCs and HMIs, including systems that were accessible online and protected by weak or default credentials. The attacks did not require highly sophisticated exploitation. They relied on exposed devices, poor configuration, and inadequate access control.

That is precisely what makes the threat so serious. The barrier to entry is not always high, but the potential consequences can be meaningful.

Iranian-linked operations are often noisier than Chinese operations. They may involve defacement, public claims, political messaging, or visible disruption. This does not make them less dangerous. In some cases, noisy operations are the point. They are designed to demonstrate reach, undermine confidence, and create public pressure.

The strategic value for Iran is clear. By targeting under-resourced utilities and municipal infrastructure, threat actors can produce operational anxiety, reputational damage, and political visibility without needing to defeat the most hardened national systems.

The Chinese Model: Persistence Before Crisis

The Chinese Model: Persistence Before Crisis

Chinese state-sponsored activity targeting operational technology follows a different strategic model.

Where Iranian-linked operations have often emphasized visible disruption and psychological impact, Chinese campaigns associated with groups such as Volt Typhoon have demonstrated a greater focus on long-term access, operational reconnaissance, network mapping, and strategic pre-positioning.

The objective is not necessarily immediate disruption. The objective is optionality.

Persistent access to critical infrastructure provides strategic leverage. In the event of geopolitical escalation, military conflict, or a crisis involving the United States and its allies, access to utilities, telecommunications networks, transportation systems, water infrastructure, and energy environments could be used to disrupt operations, delay response efforts, create uncertainty, or increase domestic pressure.

This is what makes Chinese infrastructure targeting particularly concerning. A quiet intrusion that remains undetected for months may have greater strategic significance than a short-lived disruptive event. The risk lies not only in what an adversary does today, but in what it may be positioned to do tomorrow.

Activity associated with Volt Typhoon illustrates this approach. Public reporting has highlighted long dwell times, disciplined operational security, careful lateral movement, extensive reconnaissance, and a sustained interest in operational technology environments. These characteristics are consistent with a campaign focused on understanding critical infrastructure and maintaining future access rather than pursuing immediate disruption.

Operational technology intelligence has enduring value. Network diagrams, engineering workstation access, SCADA visibility, utility topology data, and operational workflows provide insight into how critical systems function and where they may be vulnerable. Such information can support future disruption, influence operations, or contingency planning.

In this model, reconnaissance is not merely intelligence collection. It is preparation.

Different Playbooks, Same Weakness

Iranian and Chinese threat actors differ in intent, patience, and operational style. But they converge on the same category of weakness: exposed and under-defended OT environments.

Iranian-linked actors typically move faster. They look for reachable systems, weak credentials, default passwords, exposed interfaces, and misconfigured devices. Their campaigns often align with geopolitical triggers and may prioritize impact, publicity, or symbolic disruption.

Chinese state-sponsored actors tend to move more quietly. They use living-off-the-land techniques, legitimate administrative tools, stealthy lateral movement, and long-term persistence. Their goal is often to blend into normal activity and avoid detection for as long as possible.

The difference matters for defenders. Iranian activity may produce more obvious indicators. Chinese activity may require deeper detection maturity, behavioral analytics, asset visibility, and OT-aware monitoring.

Yet the starting point is often the same. Both types of adversaries benefit when industrial devices are exposed to the internet, remote access systems are poorly secured, credentials are reused, logging is incomplete, and IT-OT boundaries are weak.

This is the uncomfortable lesson for infrastructure operators: the adversary does not need to choose the most difficult path. They will use the path defenders have left open.

Water Systems: The Softest Target With the Highest Public Impact

Water and wastewater infrastructure remains one of the most exposed and under-resourced sectors in the OT threat landscape.

Many water utilities operate with small teams, limited cybersecurity budgets, aging industrial systems, and a strong operational focus on uptime. Security improvements can be difficult to prioritize when teams are already managing regulatory pressure, infrastructure maintenance, staffing constraints, and public service obligations.

That makes the sector highly attractive to Iranian-aligned actors seeking visible disruption. Water systems are local, essential, and deeply tied to public trust. Even limited interference can generate outsized concern if it affects treatment operations, alarms, pressure systems, chemical dosing, or public communications.

The sector’s exposure is not only theoretical. In May 2024, the EPA reported that more than 70% of water systems inspected since September 2023 violated basic Safe Drinking Water Act Section 1433 requirements, including gaps in risk and resilience assessments and emergency response plans. Inspectors also found practical cybersecurity failures such as unchanged default passwords, shared staff logins, and inadequate access removal for former employees. 4 

The sector also presents a broader national challenge. The United States has thousands of water and wastewater operators, many serving smaller communities. A centralized security model does not easily fit such a fragmented environment. Adversaries understand this asymmetry.

For defenders, the priority is not only advanced detection. It is basic exposure reduction: removing internet-facing industrial devices, enforcing strong authentication, reviewing remote access paths, monitoring controller changes, and ensuring that operators can respond quickly when suspicious activity appears.

Energy Infrastructure: The Long Game

Energy infrastructure remains a primary focus of strategic pre-positioning campaigns because it underpins nearly every other critical sector. Power generation, transmission, and distribution systems support healthcare, telecommunications, financial services, transportation, water treatment, emergency response, and national defense. Disruption within the energy sector can therefore produce cascading effects far beyond the initial target.

This reality gives persistent access to energy environments significant strategic value. An adversary does not need to initiate disruption for the access to matter. The ability to act during a future crisis may be sufficient to create leverage, influence decision-making, or complicate response efforts.

Chinese-linked activity involving utility networks, OT data collection, remote access pathways, and infrastructure reconnaissance should be viewed through this lens. Such operations are often designed to develop a detailed understanding of critical systems, operational dependencies, and potential points of failure. The objective is to identify which assets are most consequential, how they interconnect, and where disruption could generate the greatest operational impact.

For energy operators, the distinction between IT and OT security is increasingly artificial. An intrusion into corporate IT systems can provide access to engineering documentation, network diagrams, remote access credentials, GIS data, vendor relationships, and operational procedures. Individually, these assets may appear administrative. Collectively, they can provide a roadmap for future operations against OT environments.

As a result, energy resilience depends on a unified view of risk across both IT and OT domains. Visibility limited to one environment leaves critical gaps in understanding how adversaries gain access, establish persistence, and develop the operational intelligence needed for future disruption.

Healthcare and Municipal Infrastructure: Cascading Risk Zones

Healthcare and municipal environments face a unique security challenge because they sit at the intersection of complex IT environments, operational technology dependencies, public service delivery, and constrained cybersecurity resources.

In healthcare, patient care depends on far more than clinical systems alone. Hospitals rely on building management systems, emergency power, HVAC, physical access controls, elevators, water infrastructure, medical device networks, and other operational technologies. Disruption to any of these supporting systems can affect care delivery, create operational instability, and introduce patient safety concerns, even when clinical devices remain unaffected.

Municipal environments face a similar challenge. Local governments often operate interconnected networks supporting public works, utilities, emergency services, administrative functions, and external service providers. Shared infrastructure and extensive vendor relationships create dependencies that can allow a compromise in one area to expose credentials, remote access pathways, operational systems, or sensitive information elsewhere in the environment.

These characteristics make healthcare and municipal organizations attractive targets for multiple threat actors, albeit for different reasons. Iranian-linked operations have historically favored targets that offer visibility, disruption potential, and public impact. Chinese state-sponsored campaigns have demonstrated greater interest in long-term access, infrastructure mapping, operational intelligence, and the identification of strategic dependencies.

The security challenge extends beyond any individual organization. Healthcare systems, municipal services, utilities, transportation networks, and emergency response functions are increasingly interconnected through shared infrastructure, technology platforms, and third-party providers. A compromise in one environment can create consequences across many others.

The risk is therefore not isolated to a single network, system, or sector. It exists within the connections that bind critical services together.

The Detection Problem in OT Environments

Many critical infrastructure organizations still lack the monitoring depth required to detect modern OT intrusion.

Traditional IT security tools are not always sufficient in industrial environments. OT networks use specialized protocols, legacy devices, engineering workstations, vendor tools, and process-specific traffic patterns. Security teams may see network connections without understanding whether the activity is normal for the industrial process.

This creates a detection gap.

An attacker using legitimate remote access tools may look like a vendor. A change to a controller may look like routine maintenance. Lateral movement through administrative protocols may resemble normal IT activity. Data collection from engineering systems may not trigger obvious alerts.

The problem becomes more serious when adversaries use living-off-the-land techniques. Chinese actors, in particular, have shown a preference for blending into legitimate operations, minimizing malware use, and reducing forensic artifacts. This makes detection heavily dependent on behavioral baselines, asset awareness, log integrity, and cross-domain visibility.

OT security teams need to understand not only whether traffic is allowed, but whether the action makes sense for the process, the device, the operator, the maintenance window, and the environment.

The 48-Hour Vulnerability Window

The patch-management model used in many OT environments is not aligned with the speed of modern exploitation.

Industrial operators often patch slowly for valid reasons. Systems must remain available. Updates may require vendor validation. Downtime may be expensive or operationally risky. Legacy devices may not support modern updates. Some facilities run continuous processes where maintenance windows are rare.

Adversaries exploit this delay.

Chinese-linked clusters and access brokers have demonstrated the ability to weaponize newly disclosed vulnerabilities in internet-facing systems rapidly. Edge devices such as VPN appliances, firewalls, remote access gateways, and enterprise applications are especially attractive because they provide a path toward internal environments.

When an exploit appears within days of disclosure, a quarterly patch cycle becomes inadequate. For internet-facing systems that connect to or support OT environments, patching must move closer to an emergency-response model.

The practical implication is clear: if a device is exposed to the internet and connected to critical operations, it cannot be governed by ordinary enterprise patch timelines.

What Critical Infrastructure Operators Should Do Now

The defensive priority is exposure reduction first, sophistication second.

Organizations should begin by identifying every internet-facing OT asset, remote access path, engineering workstation exposure, vendor access channel, VPN appliance, firewall, and edge system connected to operational environments. Any industrial device directly reachable from the public internet should be treated as an urgent risk unless there is a clearly documented and secured operational requirement.

Default credentials must be eliminated across PLCs, HMIs, RTUs, SCADA systems, engineering workstations, remote access tools, and vendor-managed devices. Credential reviews should include service accounts, shared accounts, maintenance accounts, local admin accounts, and emergency access credentials.

Remote access into OT environments should require phishing-resistant multi-factor authentication, strong segmentation, logging, session control, and explicit approval. Vendor access should be time-bound and monitored.

Internet-facing edge devices must be prioritized for rapid patching. Vulnerabilities in VPNs, firewalls, remote access platforms, and exposed management interfaces should be treated as high-impact OT risks, not routine IT tickets.

OT-native monitoring should be deployed wherever feasible. Operators need visibility into industrial protocols, controller changes, engineering workstation activity, abnormal command sequences, unauthorized scanning, and unexpected communication between IT and OT zones.

Incident response planning must also become OT-specific. A generic IT incident response plan is not enough when an event may affect water treatment, grid operations, industrial safety, or public services. Operators need tested playbooks that include engineering teams, plant operators, vendors, legal counsel, regulators, law enforcement, and executive leadership.

Analyst Assessment

The threat to US critical infrastructure is active, not theoretical.

Iranian-aligned actors are likely to continue using exposed OT environments as a platform for disruption, political messaging, and public pressure. Their campaigns will remain closely tied to geopolitical events and will likely favor targets where a weak configuration creates a fast operational impact.

Chinese state-sponsored actors represent a longer-term strategic concern. Their focus on persistence, infrastructure mapping, stealth, and pre-positioning suggests preparation for possible future disruption rather than immediate public effect. This makes their activity harder to detect and potentially more consequential.

The most important point is that both threat models are enabled by the same defensive failure: industrial systems that are reachable, under-monitored, weakly authenticated, and insufficiently segmented.

Critical infrastructure operators do not need to solve every cybersecurity problem at once. But they do need to act quickly on the exposures that adversaries are already exploiting. Remove unnecessary internet access. Eliminate default credentials. Harden remote access. Patch edge devices faster. Monitor OT activity. Prepare OT-specific incident response.

The next major infrastructure incident may not begin with a sophisticated exploit. It may begin with a device that should never have been online in the first place.

References

1. CISA (2026) *AA26-097A: Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure*. Cybersecurity and Infrastructure Security Agency. Available at: https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a (Accessed: 21 May 2026).
2. Rodda, M. and Mavroudis, V. (2025) Analysis of Publicly Accessible Operational Technology and Associated Risks. arXiv. Available at: https://arxiv.org/abs/2508.02375 (Accessed: 11 June 2026).
3. Office of the Director of National Intelligence (2026) *Annual Threat Assessment of the US Intelligence Community*. Available at: https://www.dni.gov/files/ODNI/documents/assessments/ATA-2026-Unclassified-Report.pdf (Accessed: 21 May 2026).
4. United States Environmental Protection Agency (EPA) (2024) Enforcement Alert: Drinking Water Systems to Address Cybersecurity Vulnerabilities. Available at: https://www.epa.gov/enforcement/enforcement-alert-drinking-water-systems-address-cybersecurity-vulnerabilities (Accessed: 11 June 2026).