Iranian hackers penetrated the computers controlling a dam near New York, reveals the Wall Street Journal.
The 2013 attack did no damage but revealed information about how computers running the flood control system worked, said the paper.
Hackers working for nation states regularly hit national infrastructure targets, said a separate AP report.
About 12 times in the last decade hackers have won high-level access to power networks, it said.
Extensive information about the Bowman Avenue dam in Rye, New York state was taken by the hackers, experts familiar with the incident told the newspaper.
An investigation pointed to Iran as the likely source of the attack and alerted US authorities to the significant cyber warfare capabilities of that nation, said the report The same group of hackers that attacked Bowman Avenue was also implicated in separate attacks on three US financial firms, it added.
The US power network has also come under regular attack by "sophisticated foreign hackers" said AP in an extensive investigation.
Many times security researchers had found evidence that hackers had won access to these sensitive systems. So far, all the attacks seemed intent on gathering detailed information, including engineering drawings, about networks and facilities.
One extensive campaign gave hackers access to 82 separate plants spread across the US and Canada. Comments in the code found when the attacks were detected suggested Iranian hackers were behind this attack. Information about this series of attacks led the FBI to issue a warning to power industry that it was being targeted.
The knowledge accumulated by the attackers has not been used to shut down the power plants or change the way they work, wrote AP reporters Garance Burke and Jonathan Fahey.
However, the knowledge could be used to cause damage if diplomatic relations between Iran and the US changed for the worse, former US Air Force cyber security expert Robert Lee told the agency.
Hackers could get at the power plants and other parts of national infrastructure because many of the systems were set up long before the need to protect them against remote attacks became apparent.