U.S. cybersecurity agencies on Tuesday warned of ongoing cyber exploitation of internet-connected OT (operational technology) devices, including programmable logic controllers from Rockwell Automation and its Allen-Bradley line, deployed across multiple critical infrastructure sectors. Since March, the activity has led to disruptions through malicious interactions with project files and manipulation of data displayed on HMI (human machine interface) and SCADA (supervisory control and data acquisition) displays. In a few cases, the adversarial activity resulted in operational disruption and financial loss.
Clearly, the activity highlights a growing focus on ICS (industrial control systems), where attackers leverage weak configurations and exposed assets to move from initial access toward potential operational impact, reinforcing concerns that geopolitical tensions are increasingly translating into cyber operations against critical infrastructure. The agencies observed that due to the widespread use of these PLCs and the potential for additional targeting of other branded OT devices across critical infrastructure, U.S. organizations must review TTPs (tactics, techniques, and procedures) and IoCs (indicators of compromise) for indications of current or historical activity on their networks.
The FBI (Federal Bureau of Investigation), CISA (Cybersecurity and Infrastructure Security Agency), NSA (National Security Agency), EPA (Environmental Protection Agency), DOE (Department of Energy), and United States Cyber Command – Cyber National Mission Force (CNMF) assess that a group of Iranian-affiliated advanced persistent threat (APT) actors is conducting this activity to cause disruptive effects within the U.S. The group has targeted devices spanning multiple U.S. critical infrastructure sectors, including government services and facilities, including local municipalities, water and wastewater systems (WWS), and energy sectors.
The authoring agencies previously reported on similar activity targeting PLCs by CyberAv3ngers (aka Shahid Kaveh Group), a cyber threat actor affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) Cyber Electronic Command (CEC).
“The FBI assesses a group of Iranian-affiliated APT actors are targeting internet-exposed PLCs with the intent to cause disruptions—including maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays—to U.S. critical infrastructure organizations,” according to the advisory. “Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities between Iran, and the United States and Israel.”
Since at least March 2026, the agencies identified through engagements with victim organizations that an Iranian-affiliated APT-group has disrupted the function of PLCs. These PLCs were deployed across multiple U.S. critical infrastructure sectors, including government services and facilities, WWS, and energy sectors within various industrial automation processes. Some of the victims experienced operational disruption and financial loss.
The agencies observed Iranian-affiliated APT actors using several overseas-based IP addresses to access internet-facing Rockwell Automation/Allen-Bradley-manufactured PLCs. The adversaries used leased, third-party hosted infrastructure with configuration software, such as Rockwell Automation’s Studio 5000 Logix Designer software, to create an accepted connection to the victim’s PLC. Targeted devices include CompactLogix and Micro850 PLC devices.
“Inbound malicious traffic may be directed to devices on any of following ports: 44818, 2222, 102, 22, or 502,” according to the advisory. “The targeting of ports associated with other OT vendors’ protocols suggests these actors may also be targeting devices manufactured by companies other than Rockwell Automation/Allen-Bradley, including the Siemens S7 PLC. Additionally, the actors deployed Dropbear Secure Shell (SSH) software on victim endpoints to enable them to gain remote access through port 22.”
“Cyber attacks are key components now in all war and kinetic attacks,” Joe Saunders, CEO at RunSafe Security, wrote in an emailed statement. “Not only does Iran have the means, it has the motivation to undermine US Government and disrupt a well-functioning society. Cyber attacks are one way to break down physical barriers and can be executed at a time and place of a nation-state’s choosing to achieve counter-effects. We should all be prepared for cyberattacks, with an eye toward resilience and recovery. This proves critical infrastructure is an extension of national security.”
From a strategic perspective, this matters because compromising ICS can directly disrupt critical infrastructure and create real-world consequences beyond traditional cyber incidents, Steve Povolny, vice president of AI strategy and security research at Exabeam, wrote in an emailed statement. “Water treatment plants, electrical distribution systems, pipeline operations, and manufacturing control layers are uniquely asymmetric targets. They allow adversaries to generate disruption, fear, and economic pressure without triggering the kind of response normally associated with physical conflict. That reality makes PLC-focused campaigns especially concerning right now, and this advisory is describing an operational playbook already being exercised against live infrastructure.”
Povolny added that organizations operating SCADA, ICS, and broader OT environments should assume increased reconnaissance, credential harvesting, and opportunistic exploitation attempts during this period of heightened tension. “Visibility gaps between IT and OT telemetry remain one of the most persistent weaknesses I see across critical infrastructure operators. Teams should prioritize passive network monitoring for control protocols, enforce strict segmentation between enterprise and control zones, validate remote access pathways, and confirm that engineering workstations and vendor maintenance channels are tightly controlled and logged. Just as important, incident response plans must explicitly account for loss of control system integrity, not just loss of data confidentiality. However, I fear it may be too late for much of this to have a short-term impact.”
He noted that compromise in these environments is rarely clean or reversible in the way traditional IT intrusions are. “Restoration can involve physical processes, safety risks, and cascading operational consequences. That makes preparation the decisive factor. Take this as a tangible warning; we’re way past the preparation phase, yet this time can still be used to baseline controller behavior, validate offline recovery procedures, confirm firmware provenance, and rehearse coordinated response between security teams and plant operators. The advisory should be treated as a warning shot. Adversaries are signaling intent, capability, and access patterns, and defenders should respond with the assumption that probing activity is already underway.”
The agencies urge organizations to adopt mitigations to strengthen cybersecurity posture in response to observed threat actor activity. These measures align with the Cross-Sector Cybersecurity Performance Goals 2.0 (CPGs 2.0), developed by the CISA and the National Institute of Standards and Technology. The CPGs outline a baseline set of practices and protections recommended for all organizations. They draw on established cybersecurity frameworks and guidance, prioritizing defenses against the most common and high-impact threats TTPs.
For network defenders, the agencies warn that threat actors are actively exploiting internet-connected Rockwell Automation/Allen-Bradley PLCs to disrupt operations, underscoring the urgency of immediate defensive action. Organizations are advised to disconnect PLCs from public-facing networks, eliminate direct internet exposure, and route all remote access through secure, monitored gateways. Additional frontline measures include securing cellular modems with strong authentication and logging, enforcing physical or software-based controls to prevent unauthorized PLC modifications, and maintaining tested, offline backups to enable rapid recovery in the event of compromise.
Beyond immediate containment, defenders should take sustained steps to harden OT environments. This includes enforcing multifactor authentication for remote access, deploying VPNs, firewalls, and proxies to control network traffic, and ensuring systems are regularly patched based on risk prioritization.
Organizations should also disable unused services and default credentials, monitor for anomalous access and configuration changes, and inspect network traffic for suspicious ICS commands or login patterns. Reducing overall exposure remains critical, with agencies pointing to services such as vulnerability scanning and asset exposure assessments to help identify and close security gaps before they can be exploited.
For device manufacturers, the agencies make it clear that while operators can mitigate risk, the burden of security ultimately sits with those building the products. PLCs and other OT devices must be designed to be secure by default, not reliant on downstream configuration. Manufacturers are urged to take direct responsibility for customer security outcomes by eliminating insecure default settings, especially those that expose administrative interfaces to the internet, and by ensuring that essential protections are built into the product from the outset.
This approach extends to removing cost barriers for baseline security and embedding stronger protections such as multifactor authentication, including phishing-resistant methods. The broader goal is to deliver systems that are secure ‘out of the box,’ reducing the need for customers to invest additional time, expertise, or budget to achieve a safe baseline. Agencies stress that secure-by-design principles, combined with clearer guidance on common misconfigurations, are critical to reducing systemic risk across industrial environments.
The authoring agencies recommend that organizations go beyond implementing mitigations and actively exercise, test, and validate their security programs against threat behaviors mapped to the MITRE ATT&CK for Enterprise framework referenced in this advisory. This involves assessing how existing security controls perform against the identified ATT&CK techniques, starting with selecting relevant techniques, aligning current security technologies to them, and testing those technologies in realistic conditions.
Organizations should then analyze how well detection and prevention capabilities perform, repeat this process across their full security stack to build comprehensive performance data, and use those insights to refine people, processes, and technologies. Continuous, large-scale testing in production environments is essential to ensure security controls remain effective against evolving threats and the ATT&CK techniques outlined in the advisory.
Last month, members of the National Council of ISACs (NCI) urged organizations across critical infrastructure sectors to strengthen preparedness, noting that geopolitical crises can also elevate the risk of physical attacks by homegrown violent extremists targeting public spaces or essential services. This came amidst rising tensions in the Middle East, prompting fresh warnings that the conflict could spill into the cyber domain, with potential implications for critical infrastructure operators worldwide. Security groups say Iranian state-sponsored hackers, aligned hacktivists, and cybercriminal networks could increase cyberattacks during periods of regional escalation, reflecting patterns seen in past conflicts.
