The Cybersecurity and Infrastructure Security Agency and other U.S. federal agencies have issued an advisory warning that Iranian-affiliated cyber actors are actively targeting programmable logic controllers used across critical infrastructure sectors, causing operational disruptions in some cases.
Don’t miss the chance to connect with leaders strengthening defenses against evolving global threats at the Potomac Officers Club's 2026 Cyber Summit on May 21. Register today!
What Activity Have CISA & Other Agencies Observed?
CISA said in the advisory released Tuesday that, along with the FBI, National Security Agency, Environmental Protection Agency, Department of Energy and U.S. Cyber Command – Cyber National Mission Force, it believes advanced persistent threat actors are exploiting internet-connected operational technology devices, including programmable logic controllers, or PLCs, developed by Rockwell Automation and Allen-Bradley. The agencies said malicious activity has involved unauthorized interaction with project files and manipulation of data displayed on supervisory control and data acquisition systems.
Which Devices Are Affected?
The authoring agencies noted that attackers are targeting devices used across government services, water and wastewater, and energy sectors. Affected devices include CompactLogix and Micro850 PLCs, with traffic observed on ports 44818, 2222, 102, 22 and 502. The agencies also said the actors deployed Dropbear SSH software to gain remote access through port 22. Indicators of compromise include IP addresses originating from overseas hosting providers.
How Are the Attacks Being Carried Out?
Threat actors are using overseas-based infrastructure to access exposed devices and communicate through common industrial control system ports. In some instances, they deployed remote access tools to maintain control of compromised systems. Moreover, the activity has resulted in altered system data and disruption of industrial processes, with some organizations reporting financial impacts tied to the incidents.
What Actions Are Recommended?
To safeguard critical infrastructure, organizations must immediately disconnect PLCs from the public-facing internet and remove all inbound port exposure to prevent unauthorized external access. Remote connectivity should be strictly mediated through secure gateways or jump hosts, while cellular modems must be hardened with strong authentication, regular updates and active logging. For physical security, operators should set controller switches to the run position to block remote logic modifications and use software-based programming protections on devices such as Siemens S7. Finally, maintaining and testing offline backups of all PLC configurations is essential.
Organizations are urged to review tactics and techniques, and indicators of compromise outlined in the advisory and coordinate with federal and vendor support channels if suspicious activity is identified.
