CISA Alert: Iranian Cyber Actors Exploiting PLCs Across US Critical Infrastructure

CISA, FBI, NSA, EPA, and DOE have jointly issued an advisory warning that Iranian-affiliated APT actors are actively exploiting internet-facing programmable logic controllers (PLCs) across multiple US critical infrastructure sectors.

What's Happening

Iranian threat actors are targeting:

• Rockwell Automation/Allen-Bradley PLCs — Primary target
• Other branded PLCs — Potentially affected
• Multiple sectors — Water/wastewater, energy, government facilities

Attack Details

The exploitation involves:

• Malicious interactions with PLC project files
• Manipulation of data on HMI (Human Machine Interface) displays
• SCADA system data manipulation
• Resulting in operational disruption and financial loss

Urgent Recommendations

Organizations should immediately:

1. Remove PLCs from direct internet exposure — Use secure gateways and firewalls
2. Check logs for suspicious traffic — Ports 44818, 2222, 102, 502
3. Watch for overseas hosting provider traffic on OT device ports
4. Place Rockwell controllers in RUN mode via physical mode switch
5. Review provided IOCs — CISA released STIX XML/JSON indicators

Context

This advisory comes amid escalating tensions between the US and Iran, including reported military strikes on Iranian infrastructure. The cyber dimension adds another layer to the confrontation, targeting the physical systems that control water, energy, and government operations.

IOCs Available

CISA has released downloadable STIX format indicators:

• AA26-097A STIX XML (35KB)
• AA26-097A STIX JSON (12KB)