Federal Agencies Sound the Alarm Over Escalating Iranian ICS Targeting
A joint advisory issued by multiple U.S. federal agencies on Tuesday revealed that Iranian state-backed hacking groups have been systematically targeting industrial control systems operated by American organizations. Specifically, the campaign has focused on Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs) since at least March 2026, resulting in operational disruptions and measurable financial losses for affected organizations.
The advisory's authoring agencies issued a stark warning about the motivations behind the escalating activity:
"Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities between Iran, and the United States and Israel."
Federal investigators from the FBI specifically identified that the intrusions led to the extraction of device project files and to manipulation of data displayed on human-machine interface (HMI) and SCADA systems — a particularly concerning development given the role these interfaces play in managing physical industrial processes.
Thousands of Vulnerable Devices Sitting Exposed on the Open Internet
Cybersecurity firm Censys published complementary findings one day after the federal advisory, quantifying just how large an attack surface Iranian-linked actors have to work with. According to Censys, a total of 5,219 internet-exposed hosts globally respond to the EtherNet/IP (EIP) protocol and self-identify as Rockwell Automation/Allen-Bradley devices.
The United States dominates that global exposure figure by a wide margin. As Censys stated:
"The United States accounts for 74.6% of global exposure (3,891 hosts), with a disproportionate share on cellular carrier ASNs indicative of field-deployed devices on cellular modems."
That means roughly 3,891 U.S.-based industrial hosts — nearly three-quarters of the worldwide total — are reachable directly from the internet, many of them apparently connected via cellular modems in the field rather than hardened enterprise environments. This combination of widespread internet exposure and cellular connectivity creates compounded risk for operators who may lack visibility into the traffic reaching their OT infrastructure.
Recommended Defenses for Network Operators
In light of the ongoing campaign, network defenders and OT system administrators have been advised to take immediate protective action. Key recommendations include:
- Place PLCs behind a firewall or disconnect them entirely from the internet where possible
- Scan system logs for indicators of malicious activity
- Monitor for suspicious traffic on OT-specific ports, particularly traffic originating from overseas hosting providers
- Enforce multifactor authentication (MFA) for any access to OT networks
- Keep all PLC firmware and software up to date
- Disable any unused services and authentication methods to reduce the device attack surface
These measures are consistent with longstanding guidance from CISA and other agencies but take on added urgency given the confirmed, active exploitation occurring against these specific device types.
A Pattern of Iranian Attacks on US Critical Infrastructure
The current campaign does not exist in isolation. It follows a well-documented pattern of Iranian-linked intrusions targeting U.S. operational technology, stretching back several years.
Nearly three years ago, a threat group affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC) — tracked under the name CyberAv3ngers — exploited vulnerabilities in U.S.-based Unitronics operational technology systems. That group compromised at least 75 Unitronics PLC devices across multiple attack waves between November 2023 and January 2024. Half of those compromised devices were located within Water and Wastewater Systems critical infrastructure networks across the United States, highlighting the potential for these intrusions to directly threaten public health and safety.
More recently, a separate Iranian-linked actor entered the spotlight. The Handala hacktivist group, which has been tied to Iran's Ministry of Intelligence and Security, reportedly wiped approximately 80,000 devices from the network of U.S. medical giant Stryker. The wiped assets reportedly included employees' mobile devices as well as company-managed personal computers — underscoring the breadth of destruction that Iranian-aligned actors are willing and able to inflict on U.S. organizations across multiple sectors.
Why This Threat Demands Immediate Attention
The convergence of several factors makes this campaign particularly serious. First, the sheer scale of exposure — nearly 4,000 internet-facing industrial devices in the United States alone — gives adversaries an enormous pool of potential targets. Second, the geopolitical context cited by federal agencies suggests that the intensity of these attacks is unlikely to diminish in the near term. Third, the targeting of SCADA and HMI systems means that successful intrusions have the potential to move beyond data theft into the manipulation of physical processes, with real-world consequences for infrastructure reliability and public safety.
Organizations operating Rockwell Automation/Allen-Bradley equipment in any critical infrastructure sector are strongly encouraged to audit their network architecture immediately and apply the defensive measures outlined in the federal advisory without delay.
Source: BleepingComputer