The Cybersecurity and Infrastructure Security Agency and other U.S. federal agencies have issued an advisory warning that Iranian-affiliated cyber actors are actively targeting programmable logic controllers used across critical infrastructure sectors, causing operational disruptions in some cases.
Don’t miss the chance to connect with leaders strengthening defenses against evolving global threats at the Potomac Officers Club’s 2026 Cyber Summit on May 21. Register today!
Table of Contents
What Activity Have CISA & Other Agencies Observed?
CISA said in the advisory released Tuesday that, along with the FBI, National Security Agency, Environmental Protection Agency, Department of Energy and U.S. Cyber Command – Cyber National Mission Force, it believes advanced persistent threat actors are exploiting internet-connected operational technology devices, including programmable logic controllers, or PLCs, developed by Rockwell Automation and Allen-Bradley. The agencies said malicious activity has involved unauthorized interaction with project files and manipulation of data displayed on supervisory control and data acquisition systems.
Which Devices Are Affected?
The authoring agencies noted that attackers are targeting devices used across government services, water and wastewater, and energy sectors. Affected devices include CompactLogix and Micro850 PLCs, with traffic observed on ports 44818, 2222, 102, 22 and 502. The agencies also said the actors deployed Dropbear SSH software to gain remote access through port 22. Indicators of compromise include IP addresses originating from overseas hosting providers.
How Are the Attacks Being Carried Out?
Threat actors are using overseas-based infrastructure to access exposed devices and communicate through common industrial control system ports. In some instances, they deployed remote access tools to maintain control of compromised systems. Moreover, the activity has resulted in altered system data and disruption of industrial processes, with some organizations reporting financial impacts tied to the incidents.
What Actions Are Recommended?
To safeguard critical infrastructure, organizations must immediately disconnect PLCs from the public-facing internet and remove all inbound port exposure to prevent unauthorized external access. Remote connectivity should be strictly mediated through secure gateways or jump hosts, while cellular modems must be hardened with strong authentication, regular updates and active logging. For physical security, operators should set controller switches to the run position to block remote logic modifications and use software-based programming protections on devices such as Siemens S7. Finally, maintaining and testing offline backups of all PLC configurations is essential.
Organizations are urged to review tactics and techniques, and indicators of compromise outlined in the advisory and coordinate with federal and vendor support channels if suspicious activity is identified.
Related Articles
The U.S. Space Force has launched five Department of War experiments and additional CubeSats into low Earth orbit as part of DOW’s Space Test Program S29A, or STP-S29A, mission. The momentum behind missions like STP-S29A reflects the growing urgency to advance space capabilities and strengthen national security. Register now for the 2026 Air and Space Summit on July 30 and join leaders and experts as they discuss the future of space innovation and defense. Space Systems Command said the STP-S29A mission carrying the STPSat-7 space vehicle lifted off Tuesday aboard a Northrop Grumman-built Minotaur IV rocket from Vandenberg Space Force
The Department of Commerce’s National Telecommunications and Information Administration has launched its Space Launch Frequency Coordination Portal to help streamline federal reviews of spectrum requests from commercial space launch providers. The rollout of a new NTIA portal comes amid continued focus on advancing U.S. space capabilities and federal processes. These broader developments will be part of ongoing conversations across the space community, including at the 2026 Air and Space Summit on July 30. Sign up now for this premier networking event. In a statement published Tuesday, Arielle Roth, assistant secretary of commerce for communications and information and NTIA administrator, said
The Department of War has posted a new commercial solutions opening, or CSO, to identify technologies that would advance the Golden Dome for America initiative, which aims to develop a next-generation missile and air defense system. Top officials from the Department of War and U.S. Space Force will discuss the strategies, technologies and policies shaping the future of air and space power at the Potomac Officers Club’s 2026 Air and Space Summit on July 30. The event will feature keynote addresses, expert panel discussions and networking opportunities to connect government decision makers and industry innovators and advance national security missions.