The joint advisory issued by the FBI, NSA, CISA, Pentagon's Cyber Crime Center and other agencies reveals Iranian government-affiliated actors systematically targeting internet-exposed operational technology, with a clear focus on Rockwell Automation (Allen-Bradley) PLCs and potentially Siemens equipment. These operations have produced tangible operational disruptions and financial losses across water/wastewater systems, local municipalities and the energy sector. While The Record's coverage accurately reports the mechanics—including manipulation of project files, HMI and SCADA displays—it understates the strategic maturation of these campaigns and misses critical linkages to Iran's broader hybrid warfare doctrine.

This activity did not emerge in isolation. It directly continues the 2023-2024 IRGC-linked operations against Unitronics Vision PLCs, which compromised at least 75 devices according to the new declassified details. That earlier campaign, claimed by the Iran-aligned "Cyber Av3ngers," was widely dismissed as mere digital graffiti because most incidents involved changing screens to display Iranian flags. Yet Dragos analysts, including CEO Rob Lee in his February 2025 briefings, documented the group's progressive mastery of control loops and physical processes—precisely the trajectory now materializing in Rockwell targeting. The advisory's first-time disclosure that these actors have maintained persistent focus on energy utilities, oil and gas, railways and water since the Unitronics campaign demonstrates institutional memory and iterative learning within Iran's Cyber-Electronic Command.

What mainstream coverage missed is the explicit timing correlation with kinetic exchanges. The advisory ties the acceleration to the U.S.-Iran military conflict that intensified at the end of February 2025 following Israeli strikes on Iranian nuclear and proxy assets. This mirrors Tehran's established playbook of asymmetric retaliation: when conventional military options are limited, cyber operations against civilian critical infrastructure offer plausible deniability and domestic signaling value. Synthesizing the current FBI/Pentagon warning with the State Department's 2024 $10 million reward offers targeting six IRGC officials (including Hamid Reza Lashgarian, head of the Cyber-Electronic Command) and Dragos' 2024 OT Threat Landscape report paints a coherent picture of state-directed campaigns designed to map, manipulate and eventually destroy.

The emphasis on CVE-2021-22681 exploitation is telling. CISA's Known Exploited Vulnerabilities catalog prioritized this Rockwell flaw weeks before the advisory, yet many municipal and small utility operators still run legacy OT incapable of rapid patching. The original reporting also fails to connect this campaign to parallel activity by Iranian proxy actors, including Hezbollah-linked groups that have shown increasing interest in ICS reconnaissance per Mandiant's APT tracking. This represents a distributed threat architecture where IRGC core units develop tradecraft while proxies test boundaries.

Historically, nation-state OT attacks have followed a predictable escalation ladder—from Saudi Aramco's Shamoon wiper attacks in 2012, through the 2015-2016 Russian crashes of Ukraine's power grid, to Iran's current probing. The key difference today is the target: American homeland infrastructure during active regional conflict. U.S. defenders have long warned about the "air gap myth"—thousands of PLCs remain exposed via shodan.io searches. The advisory's recommendation to remove OT from direct internet exposure is sound but arrives late; many water districts use remote access tools for legitimate engineering needs without proper jump hosts or zero-trust segmentation.

The Minot, North Dakota water treatment incident—one week before the advisory—remains under joint investigation. While city officials described ransomware-like screen messages without explicit demands, the overlap with known Iranian TTPs suggests possible false flag or test deployment rather than pure criminal activity. This highlights another analytical gap in initial coverage: the blurring line between cybercrime and state-directed disruption when both exploit the same vulnerable OT assets.

Fundamentally, these incidents underscore a dangerous reality. Iran recognizes that physical effects delivered through cyber means can impose costs exceeding many kinetic strikes while remaining below the threshold for full-scale war. As Middle East tensions show no signs of de-escalation, U.S. critical infrastructure operators face not hypothetical risks but active nation-state campaigns aimed at understanding exactly how to trigger cascading failures. The intelligence community's unusually unified voice in this advisory signals both high confidence in attribution and concern that current defenses remain insufficient. Without accelerated OT segmentation, rigorous supply chain validation of PLC firmware and realistic tabletop exercises modeling Iranian-style HMI manipulation, the next phase of this campaign could transition from disruption to destruction.