A coalition of top U.S. security and infrastructure agencies has issued an urgent joint advisory warning that Iranian state-affiliated advanced persistent threat (APT) actors are actively targeting and compromising internet-exposed programmable logic controllers (PLCs). These attacks, focused on equipment from major industrial automation provider Rockwell Automation/Allen-Bradley, are aimed at U.S. organizations across critical sectors including Government Facilities, Water and Wastewater Systems, and Energy. The advisory, authored by the FBI, CISA, NSA, the Environmental Protection Agency (EPA), the Department of Energy (DOE), and the U.S. Cyber Command's Cyber National Mission Force (CNMF), states these ongoing campaigns have already caused financial losses and operational disruptions since at least March 2026. The agencies assess that the intent is to cause tangible disruption, including the malicious manipulation of industrial project files and the data displayed on critical Human-Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) systems.
The advisory provides a stark assessment of the attackers' motives and capabilities. "The FBI assesses a group of Iranian-affiliated APT actors are targeting internet-exposed PLCs with the intent to cause disruptions—including maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays—to U.S. critical infrastructure organizations," the warning states. It further notes a concerning escalation: "Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to hostilities between Iran, and the United States and Israel." This indicates a shift from espionage and data theft to potentially destructive cyber-physical operations that could impact essential services.
The technical specifics of the campaign highlight a critical vulnerability in operational technology (OT) security: the direct internet exposure of industrial control systems (ICS). By scanning for and accessing poorly secured Rockwell PLCs, the threat actors can upload malicious logic to the controllers. This allows them to not only disrupt processes but also to manipulate the feedback data sent to operator workstations, creating a dangerous scenario where operators believe systems are functioning normally while they are being sabotaged. The FBI confirmed that this activity has resulted in the extraction of sensitive operational data, further compounding the risk.
In response to this immediate threat, the joint advisory provides detailed mitigation steps for critical infrastructure operators. The primary recommendation is to immediately remove Rockwell and other PLCs from direct internet access, ensuring they are behind firewalls and accessed only through secure, segmented networks. Organizations are urged to implement robust network monitoring for unusual traffic to and from these devices, enforce multi-factor authentication, and ensure all industrial software is updated to the latest versions. This warning serves as a critical reminder of the persistent and evolving threat to national infrastructure and the urgent need for robust OT/IT cybersecurity convergence to prevent potentially catastrophic physical disruptions.
