Iranian hackers targeting PLCs are ramping up their cyberattacks against U.S. critical infrastructure — and the scale of exposure is alarming. A newly issued joint advisory from the FBI, CISA, NSA, the Environmental Protection Agency (EPA), the Department of Energy (DOE), and U.S. Cyber Command has put American industrial operators on notice: thousands of internet-facing industrial control devices are actively being targeted right now.
Iranian Hackers Targeting PLCs: What’s Happening
Iranian-linked hackers have been targeting Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs) — the industrial computers that automate and control critical machinery across sectors like water treatment, energy distribution, and manufacturing — since at least March 2026, causing operational disruptions and financial losses at victim organizations.
The FBI’s assessment is that these Iranian-affiliated APT actors are targeting internet-exposed PLCs with the intent to cause disruptions, including maliciously interacting with project files and manipulating data displayed on HMI and SCADA displays. In plain English: they’re not just snooping — they’re reaching into systems that control physical industrial processes and changing what operators see on their screens.
The Scale of Exposure
The numbers are sobering. According to Censys data, 5,219 internet-exposed hosts globally responded to the EtherNet/IP (EIP) protocol and self-identified as Rockwell Automation/Allen-Bradley devices — and a staggering 74.6% of them, nearly 3,900 hosts, are located in the United States.
The geographic skew is consistent with Rockwell’s dominant market position in North American industrial automation, but it also means the U.S. bears the overwhelming majority of risk from this campaign. More than 3,000 of these Rockwell devices remain visible on the public internet, either because organizations are unaware they are exposed or they underestimate the risk, according to Markus Mueller, field CISO at Nozomi Networks.
Why Now?
U.S. federal agencies have warned that Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to ongoing hostilities between Iran and the United States and Israel. Geopolitical tensions are translating directly into cyber operations against American infrastructure — a pattern that has become increasingly common. This latest wave of Iranian hackers targeting PLCs is a direct reflection of those rising tensions.
This Isn’t Their First Rodeo
This campaign didn’t emerge from nowhere. It echoes attacks from nearly three years ago, when a threat group affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), tracked as CyberAv3ngers, targeted vulnerabilities in U.S.-based Unitronics operational technology (OT) systems. Between November 2023 and January 2024, CyberAv3ngers compromised at least 75 Unitronics PLC devices across multiple waves of attacks, with half of those in Water and Wastewater Systems critical infrastructure networks.
More recently, the attacks have grown even more brazen. The Handala hacktivist group, linked to Iran’s Ministry of Intelligence and Security, wiped approximately 80,000 devices from the network of U.S. medical giant Stryker, including employees’ mobile devices and company-managed computers.
What Organizations Should Do Right Now
The joint federal advisory is clear on recommended defensive actions. Network defenders are advised to disconnect PLCs from the internet or secure them behind a firewall, scan logs for indicators of compromise shared in the advisory, and check for suspicious traffic on OT ports — especially traffic originating from overseas hosting providers. They should also implement multifactor authentication (MFA) for access to OT networks, keep PLCs up to date with the latest firmware, and disable all unused services and authentication methods.
For controllers with a physical mode switch, agencies recommend placing it into the run position to prevent remote modification, switching to program or remote mode only when performing updates, then immediately switching back.
The Bottom Line
Iran has demonstrated the capability, the intent, and now a clear pattern of escalating attacks against U.S. industrial infrastructure. The thousands of internet-exposed PLCs currently visible on the public internet represent an unacceptable risk — particularly as geopolitical tensions continue to rise and Iranian hackers targeting PLCs continue their aggressive campaign. If your organization operates industrial control systems, now is the time to audit your exposure, harden your OT networks, and take the federal advisory seriously.
The threat is not theoretical. It’s already happening.
Click here to read more blog articles!