CISA and federal partners issued a joint advisory detailing Iranian‑affiliated cyber actors exploiting programmable logic controllers in U.S. critical infrastructure.
U.S. critical infrastructure organizations are facing an elevated cyber risk as Iranian-affiliated threat actors actively exploit internet-connected operational technology (OT) devices, according to a newly released Joint Cybersecurity Advisory.
The advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA) in partnership with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), and U.S. Cyber Command’s Cyber National Mission Force. It highlights confirmed cyber exploitation activity targeting programmable logic controllers (PLCs) across multiple U.S. critical infrastructure sectors.
Who Is at Risk?
The advisory notes that organizations operating internet-exposed OT systems are particularly vulnerable. Confirmed targets span several sectors, including:
- Government Services and Facilities, including local municipalities
- Water and Wastewater Systems
- Energy
Threat actors have specifically targeted Rockwell Automation/Allen-Bradley PLCs, underscoring the risk posed by widely deployed industrial control technologies when they are directly accessible from the internet.
What Are the Impacts?
The reported activity goes beyond reconnaissance. Organizations have experienced:
- Malicious manipulation of PLC project files
- Unauthorized changes to human-machine interface (HMI) and supervisory control and data acquisition (SCADA) displays
- Operational disruptions, including loss of visibility or control
- Financial losses tied to downtime and recovery efforts
These actions demonstrate both capability and intent to disrupt essential services, rather than conduct passive intelligence gathering.
Recommended Defensive Actions
The authoring agencies strongly urge organizations to review the advisory’s detailed tactics, techniques, and procedures (TTPs), along with associated indicators of compromise (IOCs). Immediate risk-reduction steps include:
- Eliminate direct internet exposure
Remove PLCs from direct internet access by using secure gateways and properly configured firewalls. - Review historical and current logs
Query available logs for the published IOCs during the relevant timeframes. - Monitor OT-related network traffic
Investigate suspicious traffic on common OT ports, including 44818, 2222, 102, and 502, especially when traffic originates from overseas hosting providers. - Harden physical access controls
Ensure the PLC physical key switch is set to the Run position to prevent unauthorized changes.
Organizations that believe they may have been targeted are encouraged to contact the authoring agencies and Rockwell Automation directly for incident response guidance.
Stay Informed
For continued updates and broader context, organizations should review:
- CISA’s Iran Cyber Threat Overview and Advisories
- The FBI’s Iran Threat resources
As OT environments become more connected, proactive security controls and continuous monitoring are essential. This advisory is a timely reminder that critical infrastructure defenders must treat internet-exposed control systems as high-risk assets—because adversaries already do.
