US Agencies Sound the Alarm on Iranian ICS Targeting
A joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and several partner agencies warned this week that hackers with ties to Iran have been actively targeting critical infrastructure organizations by compromising industrial control systems (ICS) and broader operational technology (OT) environments. The attackers specifically focused on programmable logic controllers (PLCs) manufactured by Rockwell Automation, though the advisory makes clear that devices from other vendors face comparable exposure. Both Rockwell Automation and Siemens have published their own customer advisories in response.
The intrusions caused operational disruption and financial loss by tampering with vulnerable human-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) systems. Targeted sectors include government services and facilities, water utilities, and energy providers. The threat actors exploited internet-exposed PLCs and abused legitimate engineering software — most notably Rockwell's Studio 5000 Logix Designer — to interact with CompactLogix and Micro850 controllers at the file object level, extracting and manipulating programming logic that governs physical processes.
The Broader Attack Surface: Not Just a Rockwell Problem
While the advisory places a spotlight on Rockwell Automation and Allen-Bradley equipment — which collectively account for roughly 35 to 40 percent of the US PLC market — security professionals were quick to note the threat extends well beyond a single vendor.
Denis Calderone, CTO of Suzu Labs, pointed to the indicators of compromise included in the advisory as evidence of a multi-vendor problem:
"The indicators of compromise in the advisory include traffic on port 102, which is S7comm, and that's a Siemens protocol. The advisory itself says 'potentially other branded PLCs' are at risk. If you're running Siemens, Schneider, or any other PLC platform and assuming this doesn't apply to you, look at the port list again: 44818 for EtherNet/IP (Rockwell and others), 102 for S7comm (Siemens), 502 for Modbus (most PLCs). Those protocols are from multiple manufacturers, proving that this is more than just a Rockwell problem."
Calderone further explained the real-world danger of manipulated HMI and SCADA displays: if a water treatment operator or power plant engineer sees normal readings for pressure, flow, or chemical dosing levels when actual values differ, every operational decision made on that false data becomes a potential safety incident.
Historical Context: A Pattern of OT Targeting
Markus Mueller, Field CISO at Nozomi Networks, noted that nation-state-aligned groups have consistently targeted exposed OT devices during periods of elevated geopolitical tension. He cited the 2023–24 operations by CyberAv3ngers targeting Unitronics devices as the most high-profile prior campaign and said current activity follows the same pattern.
According to Mueller, more than 3,000 Rockwell devices remain publicly accessible in North America alone — a figure consistent with Rockwell Advisory ID SD1771, published March 20th — either because organizations are unaware of the exposure or because they underestimate the associated risk. He added that since the current conflict began, threat groups have made hundreds of unverified claims of compromising OT devices worldwide, including in North America, though no public disclosures from affected organizations have emerged.
"It's common for such groups to post screenshots of control systems, claiming compromise even when they have not actually gained access. As the conflict continues, we will likely see an increased tempo of events, including those targeting OT devices. This will likely continue even if there is a resolution to hostilities, as in past conflicts, when kinetic attacks stop, we see a focus on hybrid warfare, including cyber."
Why Internet-Exposed PLCs Represent a Pre-Staged Threat
Damon Small, a board member at Xcape, described the situation in blunt terms, arguing that an internet-exposed PLC is not merely a poor design choice but rather, in his words, "a pre-staged kinetic weapon." He characterized the current disruptions as live-fire exercises for potentially more catastrophic escalations that fall outside the reach of diplomatic agreements.
Small outlined a set of immediate remediation actions for operators:
- Pull every PLC off the public internet and isolate it behind a Zero Trust gateway or authenticated VPN.
- For Rockwell CompactLogix and Micro850 series devices, physically set the controller mode switch to the RUN position to block remote logic changes.
- Audit for exposed industrial ports such as 44818 and 2222.
- Rotate all default credentials across the OT environment.
He concluded with a stark warning: "If your water treatment plant or refinery is searchable on the internet, you are not running a utility; you are hosting a digital sandbox for the IRGC."
Debate Over CISA's Recommended Mitigations
Not all experts embraced every element of CISA's follow-up guidance without reservation. Duncan Greatwood, CEO of Xage Security, acknowledged that the recommendation to implement multi-factor authentication (MFA) is a positive step, but took issue with the suggestion to enable remote access through a network proxy, gateway, firewall, or VPN in front of PLCs.
"VPNs are widely recognized as insecure forms of remote access, a point CISA itself has previously acknowledged. The recommendation to keep PLC devices updated with the latest manufacturer patches can also be misaligned with OT realities, where systems often cannot be patched frequently without risking operational disruption."
Greatwood also cautioned that simply disconnecting assets from the internet is a temporary reaction rather than a durable solution, noting that a technician's malware-infected laptop can walk an attack inside the network boundary — something that has occurred hundreds of times in the past with the US electrical grid. He advocated for zero trust architectures, including just-in-time access rights and microsegmentation, as a more resilient long-term posture.
Systemic Weaknesses in OT Security Culture
David Sequino, Co-Founder and CEO of OmniTrust, described the advisory as exposing a broader industry-wide failure to move beyond what he called the "bolt-on" and "patch-and-pray" model. He argued that true resilience requires every device to maintain a verifiable, cryptographic identity from design and development through the factory floor to decommissioning — a concept he referred to as Trust Lifecycle Management (TLM).
"When an adversary can manipulate a project file or a Human-Machine Interface (HMI) to the control panels and dashboards that allow operators to interact with physical machinery — they effectively hijack the physical source of truth causing physical consequences. In 2026, if any piece of hardware, firmware, software, user or site can't prove its own integrity it's a liability."
Ross Filipek, CISO at Corsica Technologies, added that the current situation did not arise in a vacuum. Years of high-profile infrastructure incidents have demonstrated two persistent truths: many OT environments still have internet-reachable interfaces and remote access paths that were never intended to be permanent, and even limited disruptions can generate outsized consequences — from emergency response strain to financial losses and reputational damage. He also emphasized that the fallout from such incidents does not respect geographic boundaries, noting that when a municipal utility goes offline, suppliers, hospitals, and regional partners all feel the impact.
The Military and Geopolitical Dimension
Lieutenant General Ross Coffman (US Army, Ret.), President of Forward Edge-AI, framed the Iranian activity within a broader strategic context, characterizing it as part of a multi-domain campaign rather than an isolated cyber operation.
"Iran is using its long-range targeting tools to fight in every domain possible. We must continue to harden our cyber defenses and remind employees that they are the first line of defense. Our government's cyber professionals are the best in the world, so Iran is probing daily to find an exposed flank."
Recommended Actions for Defenders
Across the expert commentary, several consistent recommendations emerged for organizations operating critical infrastructure:
- Remove PLCs and OT devices from public internet access immediately. The advisory confirms attackers are simply connecting to exposed devices using overseas IP addresses.
- Implement proper network segmentation, placing controllers and SCADA infrastructure behind monitored firewall boundaries between IT and OT environments.
- Audit for exposed industrial protocol ports, including 44818 (EtherNet/IP), 102 (S7comm/Siemens), and 502 (Modbus).
- Enforce multi-factor authentication on all remote access pathways into OT environments.
- Adopt zero trust principles, including microsegmentation and just-in-time access controls, rather than relying solely on perimeter defenses.
- Move away from bolt-on security models and embed cryptographic identity and integrity verification throughout the device lifecycle.
With more than 3,000 Rockwell devices still exposed in North America and geopolitical tensions showing no sign of easing, security experts broadly agree that the window for complacency has closed — and that the consequences of inaction extend far beyond financial loss to the physical safety of communities that depend on these systems.
Source: SecurityWeek