energy critical infrastructure — Image by VisualMediaHub | Shutterstock

Iran-linked threat actors are actively hitting US government facilities, water systems, and energy infrastructure by exploiting exposed PLC devices – a critical component used to automate industrial control systems (ICS).

Iran-linked hackers are actively targeting the PLC devices that help run US critical infrastructure.
Some of the attacks already caused disruptions and financial loss – making this more than just another government warning.
The bigger concern: industrial systems remain a live cyber target as tensions with Iran keep rising.

Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The US Cybersecurity and Infrastructure Security Agency (CISA) and FBI issued the 12-page joint advisory on Tuesday, stating that multiple attacks have already led to PLC disruptions across several US critical infrastructure sectors – causing "operational disruption and financial loss" in some instances.

Iran’s state-affiliated actors are “conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley,” the advisory said.

The Allen-Bradley brand is owned by Rockwell Automation, which is the PLC brand primarily used in North America. The CompactLogix and Micro850 PLC devices were listed by CISA as the intended targets.

However, other PLC brands could also be at risk, the agency said, including the Siemens S7 PLC, a brand widely used in Europe and Asia.

Iran-linked hackers target PLCs tied to water and energy

“The public exposure of these OT devices creates a vast attack surface that a motivated and capable adversary can exploit, which is especially relevant given the current conflict,” says Markus Mueller, Field CISO at Nozomi Networks.

“Industry groups, information sharing organizations, and vendors, including Rockwell, have been urging organizations to disconnect these devices from publicly accessible networks since it released its own security advisory on March 20th,” Mueller said.

Mueller warns that many of the PLC devices are still online – mainly because “organizations are either unaware they're connected or they underestimate the risk.”

He estimates, in the case of Rockwell, more than 3,000 devices are operating across North America.

PLC, industrial controls, critical infrastructure, water treatment facility — Programmable logic controllers, or PLCs, were specifically named in the CISA advisory. Image by Photo_lensa | Shutterstock

Some figures suggest hundreds of thousands of PLC devices are deployed across US critical infrastructure, putting OT systems – including the nation’s electricity, oil, and natural gas supply, as well as the water and wastewater systems (WWS) – at imminent risk.

According to CISA, there are approximately 152,000 public drinking water systems, and more than 16,000 wastewater treatment systems in the US, serving 80% of the population.

Also being targeted are government services and facilities, including general-use buildings and special-use military installations, embassies, courthouses, and national laboratories, all of which can house critical equipment, systems, and networks.

water treatment, critical infrastructure — Water systems are among the sectors facing elevated risk from internet-facing PLC attacks, US officials warn. Image by Borkin Vadim | Shutterstock

US agencies flag active targeting of industrial systems

The US has been on high alert for retaliatory cyberattacks by Iranian threat actors since President Trump took out Iran’s nuclear sites last summer, and new cyber threats have again emerged since the month-long barrage of US-Israeli airstrikes as part of Operation Epic Fury.

At least 130 Iran-linked hacktivist groups were observed actively targeting the US, Israel, and NATO interests since last June, causing the US Department of homeland Security to release its own advisory at the time warning of the Iranian cyber threat.

And with the war in Iran now in full swing, some of the more capable pro-Iranian advanced persistent threats (APTs) are now thought to be operating carte blanche outside of Iranian borders.

Iranian-hackers-flag — US agencies warn Iran-linked cyber actors are actively targeting industrial systems tied to critical infrastructure. Image by Cybernews.

Officials have already confirmed Russia has been sharing satellite imagery, upgraded drone technology, and tactical guidance with Iran, so it's entirely plausible Russian actors have joined the cyber melee as well.

Still, it's not the first time PLCs have been targeted by Iranian cyber actors.

In November 2023, the Iranian hacktivist group the CyberAv3ngers successfully breached the water authority of two Pennsylvania townships – all by exploiting the Israel-manufactured Unitronics PLCs, commonly used in water and wastewater systems (WWS).

The CyberAv3ngers also claimed attacks on at least ten water treatment stations in Israel the month prior, according to their X profile.

To note, although Rockwell’s headquartered in Wisconsin, Rockwell maintains a distinct presence in Israel, including a local team of cyber experts, and is known to be heavily invested in several technology and cybersecurity firms, its website states.

Geopolitical tensions put OT systems in the crosshairs

Not surprised by the advisory, Mueller says the industry “has been observing nation-state aligned threat groups targeting publicly exposed operational technology (OT) devices whenever there's increased geopolitical activity.”

He also mentions the high-profile CyberAv3ngers campaign targeting Unitronics devices between 2023 and 2024.

Although there has been a recent and significant increase in such activity, Mueller also points out that “since the conflict began, threat groups have made hundreds of unverified claims of compromised OT devices worldwide, including in North America – but no public disclosures from affected organizations have come out.”

Mueller says its common for groups to post screenshots of control systems, claiming a compromise even when they have not actually gained access.

“The fact that we are not seeing more publicly disclosed incidents may be a function of the scope of threat activity, such as a focus on DDoS and data leaks, or it could be because organizations don’t want to disclose breaches of this type,” Mueller said.

Iranian hackers have carried out a spate of cyberattacks on US and Israeli interests since February 28th when the war began, including more than a dozen attacks by one of the more publicly active threat groups, the Handala Hack Team.

Handala Hack Team has been actively targeting US interests since the war in Iran began on February 28th, 2026. Image by Cybernews

On its leak site, Handala has claimed responsibility for a breach and leak of the personal email account of FBI director Kash Patel, a massive cyberattack on the med tech giant the Stryker Corporation, allegedly wiping company data from over 200,000 systems, servers, and mobile devices, and doxxing more than two dozen Lockheed Martin staff in Israel, among many others.

Mueller also says it could be because these groups are still in the discovery and initial access phases of their campaigns, adding that as the conflict continues, its likely we’ll see an increased tempo of events.

“And even if there is a resolution to hostilities, as in past conflicts, when kinetic attacks stop, we see a focus on hybrid warfare, including cyber,” he said.

Has your password leaked?

Enter your password to check if it has leaked. Having a leaked password creates the risk of identity theft, financial damages, and worse!

35,607,543,468

Exposed Passwords

CISA urges immediate defensive steps

Referred to by Rockwell as the “brain” of industrial systems, the PLC device itself is a ruggedized computer designed to automate manufacturing processes, machinery, and robotic systems.

It uses programmable memory to store and execute instructions for tasks like monitoring inputs, processing logic, and controlling outputs, the company states, making it a prime target for hackers looking to disrupt critical infrastructure.

water and waste water systems (WWS), critical infrastructure attacks, industrial controls — The Municipal Water Authority of Aliquippa (MWAA) in Pennsylvania was hit by the pro-Iran hacktivist group CyberAv3ngers in November 2023. Image by MWAA.

The recent PLC attacks were said to be carried out by an unnamed Iranian APT group through malicious interactions “with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays.”

CISA says the bad actors were observed using “several overseas-based IP addresses to access the Rockwell PLCs [T0883].”

The criminals were also said to have used “leased, third-party hosted infrastructure with configuration software to create an accepted connection to the victim’s PLC,” particularly naming the Rockwell Automation’s Studio 5000 Logix Designer software.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

To gain remote access, the actors deployed Dropbear Secure Shell (SSH) software on victim endpoints to enable access through port 22, where they could manipulate the system displays and extract the device’s project file.

The advisory urges cyber defenders to immediately remove PLCs from direct internet exposure via a secure gateway and firewall. For Rockwell Automation devices, this involves placing the physical mode switch on the controller into the run position.

CISA also suggests becoming familiar with the indicators of compromise (IOCs) and checking available logs for suspicious traffic on the ports associated with OT devices, especially traffic originating from overseas hosting providers.

Unlock more exclusive Cybernews content on YouTube.