Iranian-affiliated cyber actors are actively targeting internet-exposed controllers (PLCs) across U.S. critical infrastructure. These attacks disrupt operations and cause financial loss by manipulating industrial displays and project files. Organizations must act now to secure their operational technology and prevent unauthorized remote access to essential systems.
Threat Explanation
Foreign threat actors are exploiting industrial controllers that are directly connected to the public internet without proper security. By using standard administrative tools, they hijack these systems to change operating data and shut down processes. This allows them to cause real-world disruptions without needing complex or custom malware.
Who is at Risk?
The advisory confirms that these threat actors are specifically targeting organizations using internet-exposed Rockwell Automation/Allen-Bradley PLCs (specifically CompactLogix and Micro850 devices). Confirmed victims include:
Water and Wastewater Systems
Municipal water facilities and treatment plants.
Energy Sectors
Power generation and distribution entities.
Government Services & Facilities
Local municipalities and administrative buildings.
Critical Manufacturing
Any industrial operation relying on these specific branded controllers for automation.
Recommended Actions
Disconnect from the Internet
Ensure all Programmable Logic Controllers (PLCs) are behind a secure firewall or disconnected from the public-facing internet entirely.
Enable Physical Security
If your controllers have a physical "Run/Program" switch, keep it in the "Run" position to prevent remote software changes.
Update Passwords & MFA
Change all default manufacturer passwords and implement Multi-Factor Authentication (MFA) for any remote access to your network.