The US government warned this week that Iran-linked hackers have targeted critical infrastructure organizations, hacking industrial control systems (ICS) and other operational technology (OT).
According to an advisory written by CISA, the FBI, and several other agencies, hackers have targeted programmable logic controllers (PLCs) made by Rockwell Automation, but devices from other vendors are also at risk. Both Rockwell and Siemens have published advisories to alert customers.
The attacks caused operational disruption and financial loss through tampering with vulnerable human-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) systems.
The threat actors targeted internet-exposed PLCs and abused legitimate programming software such as Rockwell’s Studio 5000 Logix Designer to achieve their goals.
Targeted industries include government services and facilities, water, and energy.
Industry professionals have shared thoughts on the advisory and provided recommendations for defenders.
Markus Mueller, Field CISO, Nozomi Networks:
“The advisory is not surprising. We have observed nation-state-aligned threat groups targeting publicly exposed operational technology (OT) devices in recent years whenever there’s increased geopolitical activity. The most high-profile of these campaigns was the 2023-24 operations carried out by CyberAv3ngers targeting Unitronics devices.
In the current conflict, we have again observed a significant increase in such activity, such as what CISA recently reported. Industry groups, information sharing organizations, and vendors, including Rockwell, have been urging organizations to disconnect these devices from publicly accessible networks (Rockwell Advisory ID: SD1771, March 20th). Many of these devices are still online (in the case of Rockwell, more than 3K in North America), either because organizations are unaware they’re connected or because they underestimate the risk. The public exposure of these OT devices creates a vast attack surface that a motivated and capable adversary can exploit, which is especially relevant given the current conflict.
Since the conflict began, threat groups have made hundreds of unverified claims that they have compromised OT devices worldwide, including in North America. However, no public disclosures from affected organizations have come out. It’s common for such groups to post screenshots of control systems, claiming compromise even when they have not actually gained access. The fact that we are not seeing more publicly disclosed incidents may be a function of the scope of threat activity, which is mostly focused on the region supporting each side’s kinetic activity, the type of activity, which is mostly DDoS and data leaks, or it could be because organizations don’t want to disclose breaches of this type.
It could also be that these groups are in the discovery and initial access phases of their campaigns, as some of the observed activity indicates. As the conflict continues, we will likely see an increased tempo of events, including those targeting OT devices. This will likely continue even if there is a resolution to hostilities, as in past conflicts, when kinetic attacks stop, we see a focus on hybrid warfare, including cyber.”
Denis Calderone, CTO, Suzu Labs:
“[…] Today, we’re seeing the threat actors conducting fairly surgical operations, using Studio 5000 Logix Designer, which is Rockwell Automation’s own PLC programming software, to interact with CompactLogix and Micro850 controllers at the file object level. They’re extracting the programming logic that controls physical processes and manipulating data on HMI and SCADA displays. Think about what that means for a water treatment operator or a power plant engineer. If your display is showing you normal pressure, flow, or chemical dosing levels and the actual values are different, you’re making operational decisions based on false data. That’s how equipment damage and safety incidents happen.
Now, the advisory specifically calls out Rockwell Automation and Allen-Bradley, and that makes sense because Rockwell holds roughly 35 to 40 percent of the US PLC market. But don’t let the Rockwell focus distract you. The indicators of compromise in the advisory include traffic on port 102, which is S7comm, and that’s a Siemens protocol. The advisory itself says ‘potentially other branded PLCs’ are at risk.
If you’re running Siemens, Schneider, or any other PLC platform and assuming this doesn’t apply to you, look at the port list again: 44818 for EtherNet/IP (Rockwell and others), 102 for S7comm (Siemens), 502 for Modbus (most PLCs). Those protocols are from multiple manufacturers, proving that this is more than just a Rockwell problem.
The prescriptive advice here is straightforward. PLCs should never be directly accessible from the internet, period. The advisory confirms that the attackers are simply connecting to internet-exposed devices using overseas IP addresses. But internet isolation alone isn’t enough. Controllers and SCADA infrastructure should sit behind properly segmented OT network zones with monitored firewall boundaries between IT and OT environments.”
Duncan Greatwood, CEO, Xage Security:
“The active exploitation of our water and energy systems represents a sobering milestone in the weaponization of domestic infrastructure. This targeted campaign focuses on the core logic of our industrial processes, where the manipulation of control systems and human-machine interfaces can lead to direct operational failure. While emergency alerts provide critical guidance, the practice of disconnecting assets from the internet remains a temporary reaction to a systemic vulnerability. And even when infrastructure is disconnected, a technician’s malware-infected laptop can “walk” an attack inside the network boundary, as has happened hundreds of times in the past with the U.S. electrical grid. For our critical utilities, priority should be placed on establishing a resilient foundation that secures every interaction, rather than simply reacting to the threat of the day.
CISA’s follow-up guidance to implement MFA is a positive step. However, its recommendation to enable remote access through a network proxy, gateway, firewall, and/or VPN in front of PLCs is problematic. VPNs are widely recognized as insecure forms of remote access, a point CISA itself has previously acknowledged.
The recommendation to keep PLC devices updated with the latest manufacturer patches can also be misaligned with OT realities, where systems often cannot be patched frequently without risking operational disruption. Rather than relying solely on patching, operators need to strictly control access to the PLC, so the PLC can be protected when attacks are live on the network, even though the PLC itself may be insecure.
To provide a durable foundation for resilience, organizations should adopt zero trust architectures, such as just-in-time access rights and microsegmentation to more effectively defend against advanced attacks and strengthen security posture.”
Damon Small, Board of Directors, Xcape:
“The targeted disruption of US water and energy utilities is the inevitable outcome of treating critical national infrastructure like a public Wi-Fi hotspot. By leveraging legitimate engineering tools like Rockwell’s Studio 5000 to manipulate project files, Iranian-linked actors have demonstrated that an Internet-exposed programmable logic controller (PLC) is not a poor technical design – it is a pre-staged kinetic weapon. Security leaders must acknowledge that these “nuisance” disruptions are live-fire exercises for more catastrophic escalations that exist entirely outside the bounds of diplomatic ceasefires. The primary business risk has shifted from simple uptime to the physical safety of the communities these utilities serve.
Teams must immediately pull every PLC off the public Internet and isolate them behind a Zero Trust gateway or authenticated VPN. For Rockwell CompactLogix and Micro850 series devices, operators should physically set the controller mode switch to the RUN position to block remote logic changes. Organizations must audit for exposed industrial ports such as 44818 and 2222 and rotate all default credentials across the OT environment. Failing to remove these systems from public view is an open invitation for geopolitical adversaries to use your operational uptime as a diplomatic bargaining chip.
In short, the cease-fire will not stop our adversaries from attacking the United States’ critical infrastructure, and this will lead to the unavailability of these services, or worse, to incidents that lead to loss of life and limb.
If your water treatment plant or refinery is searchable on the Internet, you are not running a utility; you are hosting a digital sandbox for the IRGC.”
Lieutenant General Ross Coffman (US Army, Ret.), President, Forward Edge-AI:
“Iran using cyberattacks to probe and impact American utilities should come as no surprise. Iran is using its long-range targeting tools to fight in every domain possible.
We must continue to harden our cyber defenses and remind employees that they are the first line of defense. Our government’s cyber professionals are the best in the world, so Iran is probing daily to find an exposed flank.”
David Sequino, Co-Founder & CEO, OmniTrust:
“Iranian-affiliated actors aren’t just probing for data within our critical infrastructure; they are threatening the physical systems at the foundation of our daily lives. Without reliable sources of drinking water, many in our country wouldn’t survive. For far too long, industrial Controllers have ‘bolted on security’ or Operators of OT networks focused on the outer edge of our OT (operational technologies) networks through porous firewalls leaving the industrial controllers and sensors open to attack.
When an adversary can manipulate a project file or a Human-Machine Interface (HMI) to the control panels and dashboards that allow operators to interact with physical machinery — they effectively hijack the physical source of truth causing physical consequences. While this advisory focuses on specific PLC hardware, the methodology exposes a broader industry-wide need to move beyond the ‘Bolt on’ and ‘patch-and-pray’ model and adopt Trust Lifecycle Management (TLM) during the outset of any design cycle for any element in our critical infrastructure.
True resilience requires every device to maintain a verifiable, cryptographic identity from design, development, to the factory floor to decommissioning. In 2026, if any piece of hardware, firmware, software, user or site can’t prove its own integrity it’s a liability. Operators can no longer just lock the door; they must be able to protect the keys across the entire lifecycle of any and all devices that make up our critical infrastructure.”
Ross Filipek, CISO, Corsica Technologies:
“The developments outlined in the advisory didn’t happen in a vacuum. Years of high profile infrastructure incidents have shown the world two things. First, that many operational technology environments still have internet reachable interfaces and remote access paths that were never meant to be permanent. Second, that even limited disruptions can create outsized chaos, from emergency response strain to financial loss and reputational damage. Each successful or even partially successful campaign lowers the barrier for the next one, and emboldens actors to move from nuisance level defacement into real operational interference.
The fallout is not contained by borders. If a municipal utility goes down, suppliers, hospitals, and regional partners feel it. If an energy operator has to throttle operations, downstream manufacturing and logistics take a hit. Globally, allied partners watching these campaigns have to assume the same playbook will be reused similarly abroad, especially where vendors, integrators, and remote maintenance channels overlap.
The most important mitigation steps aren’t glamorous, but they’re essential. Agencies need to know exactly which OT assets they control, remove direct internet exposure, and segment OT from business networks so one compromise doesn’t trigger a ripple effect. From there, invest in continuous monitoring that understands both IT and OT signals, and pair it with incident response muscle memory through tested playbooks and tabletop exercises. The organizations that fare best are the ones that treat resilience as an always on capability, not a scramble after an alert.”
Steve Povolny, Vice President of AI Strategy & Security Research, Exabeam:
“The latest advisory from CISA reinforces what years of researching industrial control systems and IoT exploitation have already made clear to me firsthand. Industrial control environments across the United States remain structurally fragile targets. Programmable logic controllers and supporting HMI stacks are often deployed on aging hardware, run outdated firmware for years at a time, and sit inside operational networks that were never designed with adversarial persistence in mind. In many cases, these systems remain directly reachable from external networks or indirectly exposed through poorly segmented enterprise integrations, despite having no operational requirement to be internet accessible at all.
From a strategic perspective, this matters because compromising ICS can directly disrupt critical infrastructure and create real-world consequences beyond traditional cyber incidents. Water treatment plants, electrical distribution systems, pipeline operations, and manufacturing control layers are uniquely asymmetric targets. They allow adversaries to generate disruption, fear, and economic pressure without triggering the kind of response normally associated with physical conflict. That reality makes PLC-focused campaigns especially concerning right now, and this advisory is describing an operational playbook already being exercised against live infrastructure.
Organizations operating SCADA, ICS, and broader OT environments should assume increased reconnaissance, credential harvesting, and opportunistic exploitation attempts during this period of heightened tension. Visibility gaps between IT and OT telemetry remain one of the most persistent weaknesses I see across critical infrastructure operators. Teams should prioritize passive network monitoring for control protocols, enforce strict segmentation between enterprise and control zones, validate remote access pathways, and confirm that engineering workstations and vendor maintenance channels are tightly controlled and logged. Just as important, incident response plans must explicitly account for loss of control system integrity, not just loss of data confidentiality. However, I fear it may be too late for much of this to have short-term impact.”
Süleyman Özarslan, Co-Founder, Picus Security:
“The most notable aspect of this campaign is the attackers’ skill. They use the same engineering software and trusted connections that OT teams use daily, making it difficult to spot malicious activity. For defenders, the main problem is exposure. If PLCs can be accessed from the internet, attackers have a straightforward way into operational systems.
An even greater concern is that this shows a weakness in how systems are designed. If segmentation, access controls, and hardening are not strong enough, attackers can blend in with normal OT workflows, stay in the system, and disrupt industrial operations in ways that are harder to spot.”
