FBI and CISA Warn Iran-Affiliated Actors Are Targeting PLCs Across U.S. Critical Infrastructure

FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command are warning that Iran-affiliated cyber actors are targeting internet-connected operational technology devices across multiple U.S. critical infrastructure sectors, including programmable logic controllers, or PLCs. The advisory says the activity has already caused disruptions, manipulation of industrial display data, and in some cases operational and financial harm.

PLCs, or programmable logic controllers, are the systems that automate and control physical industrial processes, including equipment such as pumps, valves, motors, and machinery in sectors like water, energy, and manufacturing.

The warning is significant because it moves beyond routine cyber espionage language and into disruptive operational activity. According to the advisory, the targeting spans Government Services and Facilities, Water and Wastewater Systems, and Energy. The agencies say the actors have interacted directly with PLC project files and manipulated data shown on human machine interface, or HMI, and supervisory control and data acquisition, or SCADA, displays. In plain terms, that means the activity is not limited to scanning or attempted access. The U.S. government is describing interference with the logic and visual systems used to monitor and operate real industrial processes.

At the same time, the public advisory is more specific about exposure and access than it is about any single malware family. In a released PDF document, ic3.gov lays out attribution, infrastructure, affected ports, and tradecraft, but it does not read like a classic malware disclosure. That distinction matters. The core defensive message in the advisory is not just that Washington says Iran-linked actors are behind the activity. It is that internet-facing industrial devices remain exposed in environments where they should not be.

What the U.S. Government Is Claiming

The advisory states that Iran-affiliated advanced persistent threat actors are exploiting internet-facing operational technology devices, including Rockwell Automation and Allen-Bradley PLCs, across U.S. critical infrastructure. The stated objective is disruptive effect. The agencies say victim organizations have already experienced diminished PLC functionality, manipulation of HMI and SCADA display data, operational disruption, and financial loss.

That is a serious claim, particularly because the sectors identified are not fringe environments. They include local government systems, water and wastewater operations, and energy infrastructure. In each of those sectors, PLCs are not passive devices. They sit close to the physical process. If a threat actor can alter logic, interfere with project files, or manipulate operational displays, the result can move from cyber intrusion into real-world disruption.

The advisory also says the current activity has been observed since at least March 2026. That is important because it places the campaign in the present tense. This is not framed as a purely historical incident or a closed case. It is being presented as ongoing activity that operators should investigate immediately.

How the Activity Allegedly Works

According to the advisory, the actors used overseas-based IP addresses to access internet-facing Rockwell Automation and Allen-Bradley PLCs. The document says they used leased, third-party hosted infrastructure along with configuration software such as Rockwell Automation’s Studio 5000 Logix Designer to create an accepted connection to victim devices. The named targets include CompactLogix and Micro850 PLCs.

That description is one of the most important parts of the advisory because it points to direct interaction with exposed devices rather than a vague claim of compromise. In other words, the government is not only saying that industrial targets were affected. It is saying the actors reached publicly exposed PLCs through real operational pathways and used legitimate configuration tooling to connect.

The advisory also notes suspicious activity on ports 44818, 2222, 102, 22, and 502. Those ports are associated with OT and industrial protocols and suggest the actors may not be limited to one vendor family. Although the warning focuses heavily on Rockwell devices, the document says the targeting of other OT-related ports suggests that devices from other manufacturers, including Siemens S7 PLCs, may also be in scope.

The agencies further state that the actors deployed Dropbear Secure Shell on victim endpoints to enable remote access over port 22. That is one of the few named tools in the public document. Even so, the advisory still reads more like an OT intrusion and disruption warning than a public malware teardown. The stronger public evidence package is built around exposed access paths, IP indicators, ports, accepted connections, and operational impact.

What the Impact Looks Like

The advisory says the activity resulted in extraction of the device’s project file and manipulation of data displayed on HMI and SCADA systems. That may sound narrow to general readers, but in operational technology environments it is not. A project file contains the logic and configuration settings that help determine how a controller behaves. HMI and SCADA displays are the visual layers operators use to monitor and interact with the industrial process.

That means the alleged activity cuts into two critical areas at once. One is the underlying control logic. The other is the human view of the process. If attackers can access project files and alter what operators see on their screens, they can affect both the machine and the operator’s understanding of what the machine is doing.

This is one reason OT incidents are treated differently from ordinary IT breaches. The issue is not just data theft or credential abuse. It is whether the attacker can interfere with the systems that govern physical operations. Even in cases where the damage stops short of a catastrophic failure, operational disruption alone can be expensive, dangerous, and difficult to reverse quickly.

Why PLC Exposure Matters So Much

Industrial environments have long been full of systems that were not originally built for direct internet exposure. Many were designed for internal networks, operational convenience, or controlled remote access models that assumed a narrower threat landscape. When those systems are later connected to the internet, whether by design, misconfiguration, convenience, or vendor workflow, the risk changes.

That is the broader reality sitting underneath the advisory. Whatever readers think about the precision of public attribution, the document is explicit that the targeted devices were internet-accessible and deployed without sufficient network or hardening controls. The strongest lesson in the warning is not abstract. It is operational. Exposed PLCs remain reachable, and adversaries are still willing to use that exposure.

This is also why the warning resonates beyond one country or one actor set. The problem is bigger than Iran-linked activity alone. Internet-facing OT devices continue to appear in sectors where disruption can carry outsized consequences. That leaves operators in the position of defending equipment that was never meant to sit casually on the public internet.

Connection to Earlier Iranian PLC Activity

The advisory places the current campaign in the context of earlier Iranian-linked targeting of industrial devices. It points back to a similar campaign beginning in November 2023 involving CyberAv3ngers, also known as the Shahid Kaveh Group, which targeted U.S.-based Unitronics PLCs and HMIs across multiple critical infrastructure sectors, including water and wastewater facilities.

That historical reference matters because it shows this is not being framed as an isolated or entirely new phenomenon. U.S. agencies are presenting the current activity as part of a broader pattern of Iranian-affiliated targeting of exposed industrial control devices. Whether that reflects a single continuous operational lineage or a broader strategic tendency, the public message is clear. PLCs remain a live target class in disruptive cyber activity.

What the Advisory Does Not Settle

The advisory is specific in some areas and limited in others. It provides indicators of compromise, port information, access tradecraft, and mitigation guidance. It also makes a direct attribution claim. What it does not provide in public is a full evidentiary package that would satisfy every outside observer on attribution, nor does it present a complete public malware narrative in the way some security researchers might expect.

That does not make the warning meaningless. It does mean the article has to stay disciplined. The most accurate way to frame the situation is that multiple U.S. agencies are warning of ongoing Iran-affiliated targeting of exposed PLCs, and the public technical details support a serious defensive concern around direct device exposure, accepted connections, project-file extraction, display manipulation, and remote access activity.

The advisory is strongest when it describes the exposure and the behavior. That is also where operators should focus first.

Mitigation Steps for Operators and Defenders

The agencies urge organizations to disconnect PLCs from the public-facing internet and place remote access behind a secure gateway or jump host. They also recommend placing the physical mode switch on Rockwell controllers into run position to prevent remote modification when the devices are not actively being updated. For systems that allow software-based switching, the advisory recommends enabling programming protection to limit who can modify PLCs remotely.

Other recommendations include implementing multifactor authentication for access to the OT network from external networks, using a proxy, firewall, gateway, or VPN in front of PLCs when remote access is required, and monitoring for unexpected access from the internet. The advisory also calls for strong offline backups of PLC logic and configurations, blocking unnecessary traffic on common OT-related ports, disabling unused services and default authentication methods, and monitoring asset management systems for unauthorized configuration changes.

These are not cosmetic steps. They go directly to the access pattern the advisory describes. If attackers are reaching exposed controllers with legitimate configuration software and accepted connections, then reducing internet exposure and tightening remote access controls are the most immediate priorities.

The Secure-by-Design Problem

One of the more important sections of the advisory is the one directed at manufacturers. The agencies say it is ultimately the responsibility of device makers to build products that are secure by design and secure by default. That includes not exposing administrative interfaces to the internet by default, supporting multifactor authentication, and not charging extra for basic security features required to operate the product safely.

That point deserves attention because industrial security failures are often pushed downstream to owners and operators, even when the original design assumptions were weak. In sectors like water, energy, and local government, operators may not have the budget, staffing, or specialized expertise to compensate indefinitely for insecure defaults. Secure-by-design language matters because it shifts part of the responsibility back to the vendors whose systems sit at the center of critical industrial processes.

Why This Warning Matters

The most important fact in the advisory is not only that the U.S. government says Iran-affiliated actors are responsible. It is that publicly reachable industrial control systems remain vulnerable to real operational interference. The warning describes activity that moved beyond passive access and into project-file extraction, display manipulation, disruption, and financial loss. Even without a dramatic malware narrative, that is enough to make the situation serious.

For operators, engineers, security teams, and public-sector defenders, the message is straightforward. Internet-facing PLCs are still an active target. Remote access paths remain a point of weakness. Industrial processes still depend on control systems that can become reachable in ways they were never meant to be. That is the real story running through the advisory.

Whether readers view the geopolitical framing with complete confidence or with some skepticism, the defensive problem is clear enough on its own. Exposed PLCs in critical infrastructure are dangerous, and the U.S. government is warning that they are already being exploited.