US Agencies Warn of Active Iranian Attacks on Critical Infrastructure via Exposed Rockwell PLCs

Executive Summary

A joint advisory from the FBI and CISA has issued an urgent warning regarding an ongoing cyber campaign by Iran-affiliated threat actors targeting United States critical infrastructure. The attackers are exploiting internet-exposed Operational Technology (OT), specifically Rockwell Automation Allen-Bradley Programmable Logic Controllers (PLCs), to cause operational disruptions. The campaign has successfully impacted water and wastewater systems (WWS), energy facilities, and government services. Attackers are leveraging legitimate vendor software to connect to and manipulate these devices, leading to tangible physical consequences and financial losses. The widespread exposure of these devices—with an estimated 74.6% of vulnerable systems located in the US—presents a severe national security risk, prompting an immediate call to action for organizations to remove OT systems from public-facing networks.

Threat Overview

What Happened: Since at least March 2026, threat actors linked to Iran have been systematically scanning for and exploiting internet-exposed PLCs. The primary targets are Rockwell Automation's Allen-Bradley CompactLogix and Micro850 controllers, which are prevalent in US industrial environments. The attackers gain initial access by connecting directly to these exposed devices from overseas-based IP addresses.

Attack Vector: The core of the attack lies in the exploitation of insecure, internet-facing PLCs. These devices are often deployed in remote locations (e.g., water pump stations, electrical substations) using cellular modems, and lack fundamental security controls like firewalls or VPNs. The attackers use legitimate, albeit unauthorized, instances of Rockwell's Studio 5000 Logix Designer software to establish a connection, download the existing project file from the PLC, manipulate it, and then upload the malicious version back to the device.

Who's Affected: The campaign explicitly targets US-based critical infrastructure. Confirmed sectors include:

• Water and Wastewater Systems (WWS)
• Energy
• Government Facilities

Impact: The attacks have resulted in demonstrable physical and economic impact, including:

• Manipulation of Human-Machine Interface (HMI) displays: Altering on-screen data to sow confusion or hide malicious activity.
• Diminished PLC functionality: Causing devices to enter a fault state or stop functioning.
• Direct operational disruption and financial loss: Forcing shutdowns and emergency response procedures.

Technical Analysis

The attackers' methodology demonstrates a clear understanding of industrial control processes and the tools used to manage them. While not technically sophisticated in terms of vulnerability exploitation, the campaign is effective due to poor security hygiene in OT environments.

Tactics, Techniques, and Procedures (TTPs)

1. Reconnaissance (T1595.002 - Vulnerability Scanning): Attackers use internet-wide scanning tools like Shodan or Censys to identify exposed PLCs, specifically looking for services running on common OT ports.
2. Initial Access (T1190 - Exploit Public-Facing Application): The primary initial access vector is direct connection to PLCs that are not protected by firewalls or access controls.
3. Execution & Control (T1219 - Remote Access Software): Attackers use Rockwell's own Studio 5000 Logix Designer software as a Remote Access Tool to connect to and program the PLCs. This use of legitimate software makes detection based on traffic patterns more challenging.
4. Impact (T0829 - Control Device): The core of the attack involves altering the PLC's logic. This can include changing setpoints, disabling safety interlocks, or forcing the device into a fault state.
5. Impact (T0886 - Manipulate View): By altering data on HMI displays, attackers can mislead operators, causing them to take incorrect actions or preventing them from seeing the true state of the physical process.

The use of legitimate engineering software from foreign IP addresses is a key indicator. Monitoring for such connections is a critical detection strategy.

Impact Assessment

The business and operational impact of this campaign is severe. Compromising a PLC can lead to immediate and catastrophic physical consequences. In a water treatment facility, for example, manipulating a PLC could alter chemical dosages, leading to public health crises. In an energy substation, it could cause equipment damage or widespread power outages. The financial impact stems from emergency response costs, equipment replacement, regulatory fines, and loss of public trust. The fact that attackers are also scanning for other protocols like Siemens S7comm and Modbus indicates this is a broad, systemic threat to all OT asset owners, not just those using Rockwell products.

Cyber Observables for Detection

Security teams should proactively hunt for signs of compromise and exposure. These are not IOCs, but hunting indicators:

Detection & Response

Detection:

• Network Monitoring: Implement robust monitoring of all network traffic entering and leaving OT segments. Use an IDS with signatures for industrial protocols like EtherNet/IP, Modbus, and S7comm. Alert on any connections from the internet to the OT network, especially on ports 44818/TCP and 502/TCP. (D3FEND Technique: D3-NTA: Network Traffic Analysis)
• Log Analysis: Centralize and analyze firewall, VPN, and NetFlow logs. Create high-priority alerts for connections originating from untrusted or foreign IP ranges attempting to access OT assets. (D3FEND Technique: D3-ITF: Inbound Traffic Filtering)
• Asset Inventory: Use active and passive scanning tools to build a comprehensive inventory of all OT assets and their network connectivity. This is fundamental to understanding your attack surface.

Response:

1. Immediate Isolation: If a compromise is suspected, immediately isolate the affected PLC and network segment from the rest of the network.
2. Preserve Evidence: Take a forensic image of the PLC's memory and any associated engineering workstations or HMI servers.
3. Restore from Known Good: Do not simply bring the device back online. Restore the PLC's firmware and project file from a trusted, offline backup that has been verified as clean.
4. Report: Report the incident to CISA and the FBI to aid in the broader investigation.

Mitigation

Immediate Actions:

1. Disconnect: Immediately remove all internet-facing PLCs and other OT devices from the public internet. These systems should never be directly accessible. (D3FEND Countermeasure: Network Isolation)
2. Secure Remote Access: If remote access is required, use a secure, multi-factor authenticated VPN with strict access controls, placing the VPN endpoint in a DMZ that is separate from the OT network. (D3FEND Countermeasure: Encrypted Tunnels, Multi-factor Authentication)
3. Firewall Rules: Implement strict firewall rules that deny all traffic to the OT network by default and only allow explicitly required connections from trusted sources.

Strategic Recommendations:

• Network Segmentation: Implement robust network segmentation between IT and OT networks using a DMZ. Prevent direct communication paths from the IT network to the OT network. (MITRE Mitigation: M1030 - Network Segmentation)
• OT Monitoring: Deploy a dedicated OT security monitoring solution that can passively monitor network traffic, identify assets, and detect anomalous behavior or malicious commands within industrial protocols. (MITRE Mitigation: M1047 - Audit)
• Change Management: Implement rigorous change management for PLC programs. Any changes should require authorization and be logged. Regularly compare running PLC code against authorized offline backups to detect unauthorized modifications.