US Federal Agencies Warn of Iranian Cyberattacks Targeting Industrial Control Systems
U.S. federal agencies have issued an urgent joint advisory regarding a series of escalating cyberattacks by Iranian state-backed hacking groups. The campaign specifically targets Rockwell Automation/Allen-Bradley Programmable Logic Controllers (PLCs), critical components used to manage industrial processes across U.S. infrastructure.
Escalation and Impact
The advisory confirms that since March 2026, Iranian-affiliated Advanced Persistent Threat (APT) groups have successfully compromised thousands of internet-exposed devices. These attacks have moved beyond mere reconnaissance, resulting in:
-
Data Extraction: Unauthorized retrieval of sensitive project files from PLCs.
-
Manipulation: Alteration of data on Human-Machine Interface (HMI) and SCADA displays, which could mislead operators about the actual state of industrial machinery.
-
Disruption: Significant operational downtime and associated financial losses.
The FBI has linked this surge in activity to heightened geopolitical tensions involving Iran, the United States, and Israel.
The Scope of Exposure
According to data released by cybersecurity firm Censys, the attack surface is vast and highly concentrated. Of the 5,219 Rockwell Automation hosts identified as internet-exposed globally, approximately 74.6% (3,891 hosts) are located within the United States.
Censys researchers noted a “disproportionate share” of these devices are connected via cellular carrier modems, indicating they are likely field-deployed units used in remote critical infrastructure sites, such as water treatment plants and energy grids.
Historical Context of Iranian OT Attacks
This campaign mirrors previous operations attributed to the Islamic Revolutionary Guard Corps (IRGC). Between late 2023 and early 2024, a group known as CyberAv3ngers compromised dozens of Unitronics PLC devices, primarily within the U.S. water and wastewater sectors. More recently, the Handala hacktivist group—linked to Iran’s intelligence ministry—reportedly wiped 80,000 devices from the network of medical giant Stryker.
Recommended Defense Measures
Federal agencies are urging network defenders to take immediate action to secure Operational Technology (OT) environments:
-
Isolation: Disconnect PLCs from the public internet or shield them behind robust firewalls.
-
Access Control: Enforce Multi-Factor Authentication (MFA) for all remote access to OT networks.
-
Traffic Monitoring: Scan logs for suspicious traffic on OT ports, specifically flagging connections originating from overseas hosting providers.
-
Patch Management: Ensure all industrial hardware is updated with the latest firmware to mitigate known vulnerabilities.
The Vulnerability of Cellular-Connected OT
Censys report highlights a critical architectural weakness in modern U.S. infrastructure: the reliance on cellular modems for remote PLC management. While cellular connectivity allows for the monitoring of dispersed assets (like pipelines or water substations), it often bypasses traditional enterprise perimeter security.
From a technical standpoint, the fact that hackers are extracting “project files” is particularly alarming. These files contain the logic and configuration of the entire industrial process. Once an adversary has the project file, they can simulate the environment offline to craft “perfect” data manipulation attacks—making the HMI show “normal” operations while the physical equipment is being pushed to failure.
This campaign signals a shift toward Living-off-the-Land (LotL) tactics in OT. Instead of using custom malware, attackers are using the built-in functionality of the PLCs (like EtherNet/IP protocols) to achieve their goals. For defenders, this means that simply “patching” is not enough; the solution must involve a fundamental shift toward Zero Trust architectures where no industrial controller is ever directly reachable from a public-facing IP.
