CISA and federal partners are warning of an increase in advanced cyberattacks against US critical infrastructure, especially industrial control systems (ICS) and operational technology (OT), including those backed by national security actors. The nation-states are exploiting weak setups, legacy software, and internet-connected devices. This has led to urgent calls for stronger security to prevent interruptions and safety issues.
Key Threats and Targeted Sectors
- Attackers are increasingly targeting water and wastewater, energy, transportation, and healthcare sectors.
- Russian and Iranian-affiliated groups have been identified as probing US infrastructure.
- Attackers use living-off-the-land techniques (using legitimate tools and processes for malicious purposes), valid user accounts, and weaknesses in vendor remote access (access provided by third-party vendors to systems).
- Many ICS environments still use older technologies that are harder to secure using modern practices.
Recommended Mitigations
CISA recommends that organizations take these steps to secure their OT environments:
- Require phishing-resistant multi-factor authentication (methods that are resistant to email or message-based fraud), especially for vendor remote access.
- Disconnect operational technology (OT) and industrial control systems (ICS) from the public internet.
- Apply patches promptly to fix known vulnerabilities.
- Keep information technology (IT) and operational technology (OT) networks separate and disable shared accounts.
- Report incidents to CISA immediately through the agency’s industry reporting system.
Organizations should review the CISA cybersecurity advisories for more details on threat actor tactics and signs of compromise.
Iran-affiliated advanced enduring threat (APT) actors are conducting exploitation activities targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley. This activity has led to PLC disruptions across several US critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human-machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss.
US organizations should quickly review the TTPs and IOCs outlined in this advisory to identify potential threats on their networks, and follow the recommendations in the mitigations section to reduce risk.
The Federal Bureau of Investigation (FBI), Cyber Security and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), and United States Cyber Command-Cyber National Mission Force (CNMF), hereafter referred to as the authoring agencies, are urgently warning US organizations of ongoing cyber exploitation of internet-connected operational technology (OT) devices, including Rockwell Automation/Allen Bradley manufactured programmable logic controllers (PLCs), across multiple US critical infrastructure sectors. As a result of this activity, organizations across multiple U.S. critical infrastructure sectors experienced disruptions due to malicious interactions with project files and the manipulation of data displayed on Human Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) displays. In a few cases, this activity has led to operational disruptions and financial losses.
Given the widespread use of these PLCs and related OT devices, the authoring agencies advise U.S. organizations to review these advisories, tactics, techniques, and procedures (TTPs), as well as indicators of compromise (IoCs). Organizations should monitor for suspicious activity and follow mitigation recommendations.
The authoring agencies assess that a group of Iranian-affiliated advanced enduring threat, APT actors, is conducting this activity to cause disruptive effects within the United States. The group has targeted devices spanning multiple U.S. critical infrastructure sectors, including government services and facilities (including local municipalities), water and wastewater systems (WWS), and energy sectors. The authoring agencies previously reported on similar activity targeting PLCs by CyberAV3Engers (aka Shahid Kaveh Group), a cyber threat actor affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) and the Cyber Electronic Command (CEC).
If owners or operators find an affected internet-accessible device in their environment, they may need to take extra technical measures to assess the risk. They should contact the authoring agencies and relevant vendors through their usual support channels for help with support, mitigation, and investigation. Organizations should also activate their cyber incident reaction plans.
In addition to contacting the authoring agencies, organizations with Rockwell Automation/Allen-Bradley-manufactured PLCs should review the manufacturer’s previously issued guidance to strengthen the security of their operational technology deployments. PN-1555-CVE-2021-22-681 authentication bypass vulnerability found in Logix controllers, published in 2021, and SD-1771. Rockwell Automation reiterates its guidance to customers to disconnect devices from the internet and harden PLCs to protect against cyberattacks. Published in 2026. Contact the Rockwell Automation Product Security Incident Response Team, PSIRT, at psirt@rockwellautomation.com for questions regarding this guidance or to report cyber incidents related to Rockwell Automation products.
For more information on Iranian malicious cyber activity, see CISA’s Iran Threat Overview and Advisories webpage and the FBI’s Iran Threat webpage.
