power plant

WASHINGTON — U.S. intelligence agencies are “urgently warning” private sector companies throughout the nation that Iranian actors “are conducting exploitation activity” that has resulted in “disruptions across several U.S. critical infrastructure,” according to a government notice reviewed by The Times.

The Iranian cyberactivity comes as President Trump is threatening to target Iran’s critical infrastructure in the coming hours, particularly its bridges and power plants.

Iran’s attack targeted products by Rockwell Automation’s Allen-Bradley, one of the most widely used industrial automation brands, according to the notice, which said that cyber actors affiliated with Iran were exploiting “programmable logic controllers across U.S. critical infrastructure.”

Tehran’s targeting campaigns against U.S. organizations “have recently escalated, likely in response to hostilities between Iran,” the notice warned.

“Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley,” the notice reads.

“U.S. organizations should urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks,” it continues.

The advisory was issued Tuesday jointly by the FBI, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, the Environmental Protection Agency, the Department of Energy, and Cyber Command.

Top executives from companies at the core of the nation’s ability to function — those leading America’s largest energy, water, transportation, and communications corporations — had already been taking it upon themselves to increase their vigilence over potential attacks, concerned that Trump’s willingness to target Iran’s critical infrastructure inadvertently put a mark on their backs.

Some fear Iran’s ability to conduct cyber operations that could take down transformers or power inverters, if not a wide-scale power system. Others are concerned by threats to brick and mortar sites from proxies of Tehran — physical attacks against facilities such as nuclear plants, or power management systems, the crown jewels of the sector.

Larger, even more capable actors, particularly Russia and China, may also take advantage of the fog of war to launch strikes themselves.

“There remains concern about Iranian cyber capabilities and retaliation if the U.S. carries through on threats to attack their infrastructure,” said Ernest Moniz, former U.S. secretary of energy under President Obama who helped negotiate the 2015 nuclear deal with Iran. “There may already be backdoors, Trojan horses and malware hidden in our infrastructure.”

“I have to believe that the government cyber experts — or what’s left of them — are working closely and indeed overtime with the power companies and other infrastructure operators on cyber defense and intrusion detection and warning,” Moniz added.

Iran has demonstrated an ability to penetrate networks tied to critical U.S. infrastructure before.

In 2015, Iran-backed hackers accessed data associated with Calpine Corp., one of California’s largest power producers, obtaining detailed engineering diagrams and credentials related to power plant systems. Some were labeled “mission critical.” U.S. officials feared at the time that the breach would allow Tehran to initiate blackouts nationwide.

Since that time, companies at the center of the U.S. energy and telecommunications sectors have markedly improved their defenses. But Iran’s offensive capabilities have improved, as well.

Large players in the energy sector are operating with “a watchful eye and an elevated posture right now,” said Pedro J. Pizarro, president and chief executive officer of Edison International, the parent company of Southern California Edison, one of the nation’s largest electric utilities.

Companies like Edison have been operating under persistent threat for over a decade. In 2024, a pair of devastating cyberespionage attacks targeting U.S. critical infrastructure attributed to Chinese hackers, Volt Typhoon and Salt Typhoon, were discovered after avoiding detection for at least three years.

The threat of a similarly latent attack — where malware lies dormant in critical infrastructure systems, waiting for a signal to activate — is a real cause for concern in the sector, despite its best efforts and technological advances, experts and insiders said.

“The threat of cyber and physical attacks targeting critical infrastructure is not new,” said Jennifer DeCesaro, senior vice president of industry operations at the Edison Electric Institute, “which is why we partner with the government through the Electricity Subsector Coordinating Council to share actionable intelligence and prepare to respond to incidents that could affect our ability to provide electricity safely and reliably.”

The ESCC works closely with the National Security Council and its intelligence arms, particularly the intelligence agencies and CISA, to coordinate regular briefings on safety standards, best practices and intelligence tips.

The CIA declined to comment. A spokesperson with CISA, listed as out of office due to the ongoing federal funding hiatus for the Department of Homeland Security, could not be reached for comment.

Last summer, announcing a 40% cut to the workforce of her office, Director of National Intelligence Tulsi Gabbard eliminated the Cyber Threat Intelligence Integration Center, previously seen as a critical fusion hub of information by private sector partners.

Asked to respond to the potential of retaliatory attacks against U.S. infrastructure, Karoline Leavitt, the White House press secretary, repeated the president’s threats.

“The Iranian regime has until 8PM Eastern Time to meet the moment and make a deal with the United States,” she said. “Only the president knows where things stand and what he will do.”

Trump has threatened to destroy every bridge and power plant in Tehran if they fail to come to an agreement that ends its control over the Strait of Hormuz.

Ultimately, corporate executives shoulder much of the burden as the first line of defense for the country’s critical infrastructure, roughly 85% of which is owned by private sector companies.

Tom Fanning, former CEO of Southern Co. and now executive committee chairman at the Alliance for Critical Infrastructure, said the threat from Iran is “credible.”

“I have not seen what I would describe as the existential threat, to take down a wide-ranging power system,” Fanning said. “Could those things be turned on? Sure. Is the United States critical infrastructure prepared to act? I think so.”

Last month, early on in the war, the Los Angeles Metro transit system was forced to shut down a portion of its network due to a hack. Authorities say it is still unclear who was behind the breach, but a source told The Times that Iran-backed hackers are being investigated as the potential culprit.

The transportation agency said its security team had “discovered unauthorized activity,” and were making sure its roughly 1,400 servers were secure before bringing them back online. The agency has emphasized the hack did not impact passengers’ commute time.

The FBI said it was aware of the hack. DHS is working with local partners “to address cyber threats to critical infrastructure,” an official said.

“The reality is that the threats are here and now,” Fanning added. “The truth is, the bad guys are already here.”

Times staff writers Kevin Rector, Richard Winton and Rebecca Ellis, in Los Angeles, contributed to this report.

WASHINGTON — President Trump said Monday that the United States and Iran are at a “critical point” in negotiating a potential ceasefire agreement, but the chances of reaching a deal by a Trump-imposed deadline on Tuesday evening appeared uncertain.

In a lengthy news briefing at the White House, the president echoed an expletive-laden Easter Sunday warning to strike Iran’s vital infrastructure if Tehran does not agree to open the Strait of Hormuz by 5 p.m. PDT on Tuesday.

“The entire country can be taken out in one night and that night might be tomorrow night,” Trump told reporters.

Mediators from Egypt, Pakistan and Turkey sent the United States and Iran a draft proposal of the 45-day ceasefire on Friday, the Associated Press reported. Its prospects seemed dim amid the president’s threats and a lukewarm response from Iranian leaders, who dismissed the president’s diplomatic overtures as “unrealistic” and denying direct talks with the United States.

Iranian Foreign Ministry spokesman Esmail Baghaei rejected the latest ceasefire proposal, saying Monday that the American demands were “both highly excessive and unusual, as well as illogical.”

Still, Trump continued to assert that Iranian leadership has been negotiating in good faith. He characterized newly installed leaders as an improvement over their predecessors.

“The people that we are negotiating with now on behalf of Iran are much more reasonable,” he said Monday.

Trump declined to comment further on the ceasefire proposal at the news conference, but told reporters that Iran is negotiating ahead of his Tuesday deadline.

“I can tell you they’re negotiating, we think in good faith,” Trump said. “We are going to find out.”

The president did not say whom the United States is negotiating with, but said the most difficult challenge so far has been establishing a reliable channel of communicating with Iranian officials who he said have “no method of communicating.”

Trump also declined to say whether he was prepared to offer Iran assurances to wind down the conflict, or whether he would escalate by following through with his threats to bomb critical Iranian infrastructure, leaving the door open to both diplomacy and military action.

“I can’t tell you — it depends on what they do. This is a critical period,” he said,

Central to the negotiations is Iran’s control of the Strait of Hormuz, a choke point that, if left blockaded, could continue driving oil prices higher and further destabilizing global energy markets.

Trump, in characteristically unorthodox fashion, floated the possibility of the United States seizing operational control of the waterway and charging tolls for passage, a proposal that he provided without much detail.

“Why shouldn’t we?” Trump said. “We have a concept where we’ll charge tolls.”

He also mused openly about seizing Iranian oil, as he has in recent social media posts in which he floated the idea of using the war to claim Iranian energy resources. He acknowledged public pressure was holding him back from that course.

“Unfortunately the American people would like to see us come home,” he said. “If it were up to me, I’d take the oil, keep the oil and make plenty of money.”

In addition to reopening the Strait of Hormuz, Washington is also demanding the permanent decommissioning of Iranian nuclear sites and an end to its uranium enrichment programs. The proposal also requires Iran to halt support for regional proxies and accept strict ballistic missile limits.

In exchange, the United States says it will provide sanctions relief and assistance with civilian energy production, according to media reports.

Speaking at the White House Easter Egg Roll earlier Monday, Trump showed no signs of softening his posture to bring “hell” to Iran if a deal doesn’t materialize.

“We are obliterating their country. And I hate to do it, but we are obliterating. And they just don’t want to say uncle. … And if they don’t, then they’ll have no bridges, they’ll have no power plants, they’ll have nothing,” he said, adding ominously that “there are other things that are worse than those two.”

Iran has warned of “more severe and expansive” retaliations if Trump follows through on the threats.

Also at Monday’s briefing, Trump celebrated the dramatic rescue of the American officer whose fighter jet was downed by Iran last week. He told reporters the operation to retrieve the wounded officer from “one of the toughest areas in Iran” was possible with a mix of “talent” and “luck.”

The president, however, was angered that a news outlet, which he did not name, reported that the weapons system officer had gone missing and was stranded behind enemy lines. Trump vowed to root out the source of that information, including by threatening to jail the journalist who broke the story.

“We have to find that leaker because that is a sick person,” Trump said. “We are going to find out, it is national security. The person who did the story will go to jail if he doesn’t say.”

Also Monday, Israel struck Iran’s largest petrochemical facility in Asaluyeh and killed Gen. Majid Khademi, the head of the Islamic Revolutionary Guard Corps’ intelligence organization.

The Israeli military also hit three Iranian airports, purportedly targeting dozens of helicopters and aircraft it said belonged to the Iranian air force.

Iran responded with missile strikes targeting Haifa, Israel, and energy infrastructure in Kuwait and Bahrain.