Urgent alert: Iran-related actors point to PLCs exposed in critical US infrastructure. UU and risk operational continuity

U.S. security agencies issued an urgent call: a group of Iran-related actors are targeting Rockwell / Allen-Bradley's programmable logical controllers (PLCs) accessible from the Internet within critical infrastructure networks in the United States. The warning, signed jointly by the FBI, CISA, NSA, EPA, the Department of Energy and the United States Cyber Command - Cyber National Mission Force, describes an active campaign that, according to these agencies, has caused economic losses and operational changes since March 2026. You can read the official document in the IC3 shared notice Here..

To understand the gravity of the matter, it is important to remember what these devices are: the PLC are the backbone of many industrial and public service processes, as they orchestrate pumps, valves, engines and measurements that keep water plants, energy networks and government buildings in place. When a PLC is directly exposed to the Internet it loses perimeter protection and becomes an accessible target for attackers who seek to manipulate the control logic or information shown by the HMI and SCADA panels.

The joint notice points to multiple critical infrastructure sectors, including government services, water and wastewater systems and energy, and details specific tactics: project file extraction from the devices themselves and alteration of HMI / SCADA screens to show false values or hide incidents. This type of manipulation not only causes economic losses due to interruptions, but may put public safety at risk if critical operations are diverted or paralyzed.

This is not a new threat to the OT ecosystem: as early as November 2023, CISA warned about activities of a group called CyberAv3ngers, linked to the Islamic Revolutionary Guard Corps (IRGC), which exploited Unitonics systems and committed tens of PLCs in American networks according to the CISA itself. This precedent shows that actors with state or state-affiliated resources can maintain persistent and specific campaigns against industrial control technology.

In view of this, the agencies responsible have emphasized practical measures to reduce the surface of attack. Recommendations include isolating the PLC from direct Internet access or protecting them with adequate firewalls, reviewing records and looking for compromise indicators that agencies have shared, and monitoring abnormal traffic to typical OT ports, especially if the origin is from hosting providers abroad. It is also advised to implement multifactor authentication for access to OT networks, update firmware and disable default services and credentials that are not used. They are common sense measures in industrial cybersecurity: less exposure, stronger authentication, daily patches and continuous monitoring. CISA maintains resources and guides to ensure industrial control environments available on its industrial control systems portal Here..

The warning comes in a tense geopolitical context: the agencies attribute the intensification of these campaigns to Iranian-like actors and relate it to escalation in hostilities between Iran and the United States or Israel. In addition, the notice recalls recent episodes of public impact, such as hacktivist group operations and reports of the use of messaging platforms to distribute malware, which emphasizes that the threat combines technical capabilities with political motivations and disinformation or vandalism campaigns.

For operators and security officials in companies that manage OT assets, the key is to act quickly and with clear priorities. First, identify which PLCs are exposed and cut that direct access if not strictly necessary. Then, apply perimeter controls, segment the network so that a committed component does not allow to move laterally to critical systems, and review the projects stored on the devices in case they have been removed or altered. Finally, establish monitoring that detects changes in HMI / SCADA screens and unusual traffic patterns that may indicate manipulation.

For their part, manufacturers and suppliers of control solutions should publish safety notices, patches and good practices specific to their products; Rockwell Automation, for example, has a space with product safety warnings and recommendations that those responsible can consult to implement recommended updates and mitigation on your safety portal.

In short, the combination of persistent actors, exposed industrial devices and the possibility of altering operational information makes this campaign a wake-up call: industrial cybersecurity is not a theoretical matter but a question of operational continuity and public safety. Those who manage critical infrastructure should prioritize the reduction of exposure, the application of robust access controls, parking and constant monitoring, and rely on official guides to respond quickly to any signs of intrusion.