U.S. government agencies on Tuesday warned American organizations about ongoing cyber activity targeting OT and PLC devices, including those manufactured by Rockwell Automation and Allen-Bradley, across multiple critical infrastructure sectors. The activity has been attributed to Iranian-affiliated APT actors seeking to disrupt operations in the United States.
Disruptions across critical sectors
The advisory, issued by federal cybersecurity and law enforcement agencies, said the activity aligns with heightened geopolitical tensions involving Iran, the United States, and Israel.
“This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss,” the advisory states.
The agencies said the threat actors used overseas IP addresses to access internet-exposed PLCs. In some cases, the actors relied on leased, third-party infrastructure to establish connections to victim devices using legitimate engineering software. This access enabled them to extract project files and alter data displayed on HMI and SCADA systems.
Federal officials urged organizations to investigate and validate suspicious IP addresses before taking defensive action. They also recommended reviewing historical activity for patterns associated with Iranian-affiliated operations.
Recommended mitigations
The agencies outlined mitigation measures aligned with Cross-Sector Cybersecurity Performance Goals 2.0 (CPGs 2.0), developed by CISA and NIST.
Immediate steps include disconnecting PLCs from public-facing internet access and limiting remote connectivity. For controllers equipped with a physical switch, organizations should set devices to “run” mode to prevent remote modification. For systems that support software-based key switching, agencies recommend enabling programming protections to restrict unauthorized changes.
Organizations are also advised to create and regularly test backups of PLC logic and configurations to support recovery in the event of compromise. Additional guidance includes monitoring for unauthorized access, reviewing logs for suspicious activity, and validating IP addresses before blocking them to avoid disrupting legitimate operations.
