Iranian-affiliated threat actors are actively targeting internet-exposed ICS (industrial control systems), with new Censys research highlighting how widely deployed Rockwell Automation Allen-Bradley PLCs (programmable logic controllers) are being probed and exploited as part of a broader campaign against critical infrastructure. The findings point to a persistent exposure problem, where these devices remain accessible over the public internet, creating a repeatable entry point for adversaries seeking to interact directly with OT (operational technology) environments.
“Censys identifies 5,219 internet-exposed hosts globally responding to EtherNet/IP (port 44818) and self-identifying as Rockwell Automation/Allen-Bradley devices,” Censys researchers wrote in a Wednesday blog post. “Geographic distribution is heavily skewed toward the United States, which accounts for 74.6% of global exposure — consistent with Rockwell’s dominant market position in North American industrial automation.”
Censys detailed that the current campaign involves direct access to internet-exposed PLCs using legitimate vendor software, specifically Rockwell Studio 5000 Logix Designer, allowing threat actors to interact with project files and manipulate HMI and SCADA display data without the need for zero-day exploits. The activity highlights a shift toward ‘living off the land’ techniques in OT environments, where native tools are used to blend malicious actions into routine engineering workflows. Confirmed targets include widely deployed Allen-Bradley device families such as CompactLogix and Micro850, underscoring the campaign’s operational relevance.
The research also notes that attackers are probing additional industrial protocols, including Modbus on port 502 and Siemens S7 on port 102, indicating a broader, multi-vendor targeting strategy beyond Rockwell systems. This pattern suggests coordinated reconnaissance across heterogeneous OT environments, raising concerns that exposed industrial assets across sectors could be systematically mapped and accessed, increasing the risk of disruption in critical infrastructure networks.
The analysis underscores that attackers are leveraging legitimate engineering tools and native functionality to access and manipulate PLCs, rather than relying on custom malware, allowing their activity to blend into normal operational workflows. This ‘living off the land’ approach complicates detection while enabling adversaries to extract or alter control logic, reinforcing concerns that exposed OT assets can be quietly accessed and potentially disrupted without triggering traditional security defenses.
Censys reported that Spain (110), Taiwan (78), and Italy (73) account for large non-Anglosphere concentrations of exposed devices. Iceland stands out with 36 hosts, a figure that is disproportionately high relative to its population and notable given its reliance on geothermal energy infrastructure.
This week, U.S. cybersecurity agencies warned of ongoing cyber exploitation of internet-connected OT devices, including PLCs from Rockwell Automation and its Allen-Bradley line, deployed across multiple critical infrastructure sectors. Since March, the activity has led to disruptions through malicious interactions with project files and manipulation of data displayed on HMI (human machine interface) and SCADA (supervisory control and data acquisition) displays. In a few cases, the adversarial activity resulted in operational disruption and financial loss. The advisory highlights particular risk to U.S. government facilities, water and wastewater systems, and the energy sector, all of which have significant deployments of Rockwell systems.
Censys found that the ASN distribution of exposed devices reveals a striking concentration on cellular carrier networks, with Verizon Business (CELLCO-PART) alone accounting for 2,564 hosts (49.1% of the global total) and AT&T Mobility adding a further 693 (13.3%). This pattern strongly indicates that a large fraction of internet-exposed PLCs reach the internet via cellular modems used for remote field connectivity, a deployment pattern the advisory explicitly flags as requiring hardening.
Recognizing that the dominance of consumer/business cellular ASNs such as Verizon, AT&T, T-Mobile, Charter, and Comcast, over industrial or datacenter ASNs is operationally significant, Censys noted that these devices are almost certainly field-deployed in physical infrastructure (pump stations, substations, municipal facilities) with cellular modems as their sole internet path. “SPACEX-STARLINK’s presence (24 hosts) reflects the broader trend of satellite-connected ICS devices that are difficult to monitor and patch.”
Data showed that SSH is a prominent exposed service, with a visible count of 530, suggesting it is one of the most commonly accessible remote access pathways in the dataset. This level of exposure points to a significant potential entry point for attackers, particularly in environments where secure configuration and access controls may be inconsistent.
“EtherNet/IP identity responses expose device-level product strings, enabling granular fingerprinting of PLC model and firmware revision without authentication,” Censys reported. “The top 15 product strings are dominated by two families: MicroLogix 1400 (catalog prefix 1766-) and CompactLogix (1769-, 5069-), with one Micro820 (2080-) entry.”
In addition, the device distribution chart shows that CompactLogix systems, including models such as the 1769-L30ER/A, have a notably high presence, with a count of 97, while MicroLogix devices, such as the 1400 series, also appear but at comparatively lower levels. This distribution highlights that widely deployed industrial controllers, particularly from the CompactLogix family, make up a substantial portion of the exposed attack surface.
Censys found that VNC (771 service instances) represents direct remote desktop access to HMI workstations, precisely the vector described in AA26-097A for SCADA display manipulation. “Telnet (280) is a cleartext legacy protocol with no place on internet-facing OT infrastructure. Modbus (292) alongside EIP confirms multi-protocol OT exposure consistent with the advisory’s observation that actors are probing Modbus/502. Red Lion Crimson (256) indicates hybrid multi-vendor deployments on the same network segment.”
The advisory names CompactLogix and Micro850 as confirmed targeted families. The heavy MicroLogix 1400 presence, many running end-of-sale firmware C/21.02 and C/21.07, is a compounding risk with limited ongoing security support, and firmware version strings embedded unauthenticated in every EIP identity response, allowing actors to enumerate and prioritize unpatched devices at scan time.
Censys prioritizes immediate action to eliminate direct internet exposure of PLCs, requiring remote access to be routed through secure gateways or jump hosts, and disabling cellular connectivity where it is not essential. For CompactLogix and MicroLogix devices equipped with a physical mode switch, operators are urged to set the switch to RUN, as it remains one of the few controls that cannot be overridden remotely.
Defenders are also advised to urgently review logs for inbound traffic across key industrial and remote access ports, including TCP 44818, 2222, 102, 502, and 22, particularly from suspicious IP ranges identified in the campaign. At the same time, high-risk services such as VNC, Telnet, and FTP should be disabled or tightly firewalled on systems connected to PLCs, as exposed remote access pathways are consistent with the types of SCADA and HMI manipulation observed.
Additional measures include enforcing multi-factor authentication across all remote OT access points, auditing vulnerable MicroLogix 1400 deployments running older firmware versions, and monitoring for unexpected changes in device identity or firmware data that could signal unauthorized modifications. Together, these steps reflect a shift toward tightening both exposure and detection in environments where attackers are actively leveraging accessible pathways rather than exploiting complex vulnerabilities.
