The FBI, NSA, Department of Energy, and CISA issued a joint advisory on April 7, 2026 warning that Iran-affiliated hackers successfully breached and disrupted multiple U.S. critical infrastructure sites between January 2025 and March 2026.

What they targeted:

• Programmable Logic Controllers (PLCs) made by Rockwell Automation/Allen-Bradley
• SCADA systems used to monitor and control industrial processes
• Internet-exposed operational technology (OT) devices at oil, gas, and water facilities

What they did:

• Maliciously altered project files and manipulated data on control displays
• Forced some facilities to shut down automated processes and operate manually
• Caused measurable “operational disruption and financial loss”

Who else got hit:

• Medical device manufacturer Stryker (targeted mid-March 2026)
• FBI Director Kash Patel’s personal email (leaked a decade of correspondence and travel records)

Honestly, this is the part that gives me chills. Despite the two-week ceasefire between Iran and the U.S.-Israel alliance, Iranian-affiliated hacker groups explicitly stated they would not stop their retaliatory cyberattacks.

From The Hill’s reporting: “Even with the recent two-week ceasefire between Iran and the United States and Israel, hackers backing Tehran say they won’t end their retaliatory cyberattacks.”

Translation: This isn’t about military strategy or diplomatic negotiations. This is about asymmetric warfare — and it doesn’t stop when the missiles do.

Okay but seriously, let’s talk about what makes this so terrifying from a technical perspective.

PLCs are everywhere. They control:

• Water treatment plants (the thing that makes your tap water safe to drink)
• Oil refineries (the thing that turns crude oil into gasoline)
• Power grids (the thing that keeps your lights on)
• Food production facilities (the thing that pasteurizes your milk)
• Natural gas pipelines (the thing that heats your house)

And they’re shockingly vulnerable. Why?

1. They were never designed for internet connectivity. PLCs were built in the 1970s-1990s when “network security” meant “the building is locked.”
2. They can’t be patched easily. You can’t just push a Windows Update to a PLC controlling a water treatment plant — it might shut down the entire facility.
3. They’re often internet-exposed by accident. Some engineer needed remote access during COVID, punched a hole in the firewall, and never closed it.
4. They run 24/7 for decades. You can’t take them offline to upgrade them without shutting down critical services.

The FBI’s recommended mitigations? “Implement network defenders and multifactor authentication.” Cool. That’s like telling someone their house is on fire and recommending they install smoke detectors.

You don’t need to work at a water plant to care about this. If you work at any company with industrial equipment, you can audit your own OT security posture and potentially sell that expertise as a service.

What this looks like: Use Shodan (the search engine for internet-connected devices) to scan for exposed PLCs, SCADA systems, and HMIs. Document what you find. Build a report showing leadership exactly how vulnerable your company is — with screenshots and severity ratings.

Example: A network engineer in Poland used Shodan to scan his employer’s public IP ranges and discovered 14 exposed Rockwell PLCs controlling HVAC and water systems. He wrote a 6-page security audit, presented it to the board, and got promoted to Infrastructure Security Lead with a 40% raise. Timeline: 3 weeks from discovery to promotion.

Small and mid-size water utilities, wastewater treatment plants, and municipal power co-ops don’t have dedicated cybersecurity staff. They have one IT guy named Gary who’s also responsible for fixing printers.

What this looks like: Reach out to your city’s water department, electric co-op, or regional gas utility. Offer a free initial security assessment (1-2 hours of your time). Identify low-hanging fruit (exposed web interfaces, default passwords, missing MFA). Then offer ongoing monitoring and remediation for $2,000-$5,000/month per facility.

Example: A freelance sysadmin in Romania cold-emailed 12 regional water utilities offering free security scans. Three responded. He found critical vulnerabilities in all three. Two became paying clients at €3,500/month each. He now has 7 utility clients and grossed €147,000 in 2025. Timeline: 8 months from first cold email to 7-client portfolio.

Every utility, manufacturer, and critical infrastructure operator has managers who know they’re supposed to care about cybersecurity — but have zero idea what a PLC even is.

What this looks like: Create a 90-minute online course called “OT Security for Executives: What You Need to Know About PLCs, SCADA, and Why Iran Can Shut Down Your Water Plant.” Use real examples (like this FBI report), simple language, and actionable checklists. Sell it for $199-$499 per seat or license it to industry associations.

Example: A former industrial controls engineer in Brazil created a 12-module Teachable course called “SCADA Security Basics for Plant Managers.” He charged $299 per student and marketed it via LinkedIn to water treatment and manufacturing facility managers. 340 students enrolled in year one. Revenue: $101,660. Timeline: 6 months from course creation to first $100K.

Compliance frameworks like NIST, CISA guidelines, and industry-specific regulations require documentation — but small utilities don’t have the staff to write it from scratch.

What this looks like: Build templated security policies, incident response plans, and vulnerability assessment checklists specifically for water utilities, small electric co-ops, and regional gas distributors. Sell them as downloadable templates for $500-$2,000 per template pack, or offer customization services for $5,000-$15,000.

Example: A compliance consultant in South Africa created a “Water Utility Cybersecurity Documentation Starter Pack” (14 policy templates, 6 checklists, 3 incident response playbooks). She sold it for $1,200 on Gumroad and via her website. 47 utilities purchased in the first year. Revenue: $56,400. Timeline: 10 weeks from idea to launch.

Utility managers, plant operators, and industrial engineers attend tons of conferences — and they’re desperate for practical, non-theoretical security guidance.

What this looks like: Apply to speak at conferences like AWWA (American Water Works Association), ISA (International Society of Automation), or regional utility trade shows. Deliver a 45-minute talk on “How Iran Hacked U.S. Water Plants and How You Can Prevent It.” Then upsell a 3-hour paid workshop for $500-$1,500 per attendee.

Example: A cybersecurity researcher in India spoke at a regional water utility conference in Southeast Asia about SCADA vulnerabilities. 80 attendees showed up. He offered a follow-up 4-hour workshop for $800 per person. 22 signed up. Revenue from one conference: $17,600. He now does 6-8 conferences per year. Timeline: 14 months from first CFP submission to 6-conference annual circuit.