PLC exposed to the Internet the new vector of Iranian attacks on critical infrastructure

In recent weeks, a risk that cybersecurity specialists have been warning for years has become apparent: programmable logical controllers, or PLC, exposed to the Internet, have become a direct target of campaigns linked to states with offensive computer capabilities. A joint notice issued by US federal agencies. The U.S. notes that groups related to the Iranian Government have focused their efforts on Rockwell Automation / Allen-Bradley devices since March 2026, causing operational interruptions and economic losses in critical infrastructure networks.

The danger is not theoretical: attackers not only access the equipment, they extract project files and manipulate what HMI panels and SCADA systems show. according to the investigations cited by the agencies. This combination - the exfiltration of configuration and alteration of the control interfaces - is particularly disturbing because it allows both the deep recognition of the plant and the execution of changes that can pass unnoticed for operators trusted in false readings.

An attack surface analysis published by the Censys Internet censor firm identified more than 5,200 hosts that respond to the EtherNet / IP protocol and are self-defined as Rockwell / Allen-Bradley devices. Censys explained that approximately three quarters of these equipment are physically in the United States and that a significant percentage appears in self-contained systems (NSA) of cell operators, suggesting field deployments connected by cell modems.

The fact that many PLC are accessible from the public network is no coincidence: factors such as default configurations, the absence of firewalls between the industrial and public network, poorly secured remote access or the use of cell connections without segmentation can turn a control team into an open window inside a plant. In addition, industrial protocols such as EtherNet / IP often reveal signatures and metadata that facilitate the automated identification of vulnerable equipment.

This outbreak of activity is in a greater trend. In 2023 and early 2024 a group such as CyberAv3ngers focused their campaigns on Unitronics controllers and achieved commitments in water and sanitation systems in the United States; CISA alert on this case documents tactics and recommendations that are again relevant today. On the other hand, reports from security companies have linked actors such as Handala to massive erasing of devices in large corporate networks, showing the extent of techniques that can use groups with different objectives.

In view of this scenario, defensive measures are clear but demanding: isolating and segmenting the OT networks, preventing PLC and HMI from being directly accessible from the Internet, and applying perimeter controls including firewalls and gateway specific to industrial traffic. It is also critical to apply robust authentication - such as multifactor verification - for remote access, to keep the firmware and projects up to date with official manufacturer patches, and to disable unused authentication services and methods.

Early detection can make a difference: monitor the records of devices and network flows in search of unusual patterns, review incoming connections from foreign hosting providers or NSA of cell operators and perform controlled scans to identify exposed hosts should be part of the regular operation of any equipment responsible for critical infrastructure. In addition, where there is a suspicion of commitment, evidence should be preserved and the competent authorities and the manufacturer themselves should be notified to coordinate responses and mitigation.

Operators are not alone: manufacturers and public bodies publish technical guides and notices to be followed. Rockwell Automation maintains communication channels and security notices on its support portal; consult them to help apply specific mitigation for your PLC. For more general policies and practices on safety in industrial control systems, the NIST SP 800-82 provides a consolidated technical framework that many organizations take as a reference ( NIST SP 800-82).

It is also recommended to review the public analyses and technical notes that specialized cybersecurity firms publish on specific campaigns and tools; the Censys report cited above provides exposure data and detection trends; and Unit42 de Palo Alto has documented other operations attributed to Iranian actors that help to understand recurrent tactics, techniques and procedures.

The lesson is simple but urgent: in a world where remote connectivity is part of the standard operation, the safety of industrial devices cannot remain a secondary responsibility. Protecting PLC, segmenting networks and actively monitoring are measures that avoid from production stops to public safety risks, and its implementation should be a priority for any organization that manages critical infrastructure.