# US Intelligence Warns of Iranian State-Linked Hackers Targeting Critical Infrastructure PLCs


The U.S. government has issued a stark warning about active reconnaissance and targeting efforts by Iranian-linked threat actors against Internet-exposed industrial control systems serving critical infrastructure organizations. The campaign specifically targets Rockwell Automation's Allen-Bradley programmable logic controllers (PLCs)—one of the most widely deployed industrial automation platforms in energy, water, and manufacturing sectors across North America.


## The Threat: Aggressive PLC Reconnaissance


According to alerts from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, Iranian-state-affiliated hackers have been systematically scanning for and probing unprotected instances of Allen-Bradley PLCs exposed directly to the Internet. These reconnaissance activities represent a significant escalation in operational tempo and suggest advanced preparation for potential network intrusion or physical attack.


Key characteristics of the campaign:


  • Target scope: Rockwell Automation/Allen-Bradley PLCs across critical infrastructure sectors
  • Access method: Internet-exposed devices with minimal or no authentication protections
  • Activity level: Sustained, coordinated scanning and reconnaissance
  • Attribution: Assessed with moderate-to-high confidence to Iranian state-sponsored cyber units
  • Timeline: Intelligence suggests the campaign has been active for at least several months

    • The targeting of industrial control systems represents a dangerous escalation from traditional network compromise. Unlike conventional IT infrastructure, compromise of manufacturing or utility control systems could result in physical-world consequences—equipment damage, service disruptions, or in worst-case scenarios, injuries or loss of life.


    ## Background and Context: Why PLCs Matter


    Allen-Bradley PLCs are the industrial backbone of modern infrastructure. These programmable logic controllers manage everything from power grid operations and water treatment facilities to manufacturing assembly lines and chemical processing plants. They operate across three critical infrastructure sectors:


  • Energy: Power generation, transmission, and distribution
  • Water: Treatment and distribution systems
  • Manufacturing: Large-scale production and process control

    • The prevalence of these devices makes them an attractive target for state-sponsored actors seeking to gain access to critical operations. Historically, we've seen similar targeting in major incidents—the 2010 Stuxnet attack, for example, utilized PLCs to cause physical damage to industrial centrifuges.


    Why the vulnerability exists:


    Many organizations deployed these systems in the pre-cloud era when network segmentation was physical, not logical. As operational technology (OT) networks increasingly connect to enterprise IT systems and, in some cases, directly to the Internet for remote management, legacy systems without authentication mechanisms became exposed. Network administrators accustomed to IT security models sometimes underestimate the criticality of OT network isolation.


    ## Technical Details: The Attack Surface


    Allen-Bradley PLCs communicate using proprietary protocols, most commonly Ethernet/IP (Industrial Protocol). When exposed to the Internet without firewalls or authentication, these devices respond to simple network queries that identify them, their model numbers, firmware versions, and operational status.


    ### Reconnaissance Methodology


    The observed reconnaissance pattern follows a predictable sequence:


    1. Network scanning: Actors use Shodan, Censys, or custom scanning tools to identify exposed devices

    2. Protocol probing: Send Ethernet/IP commands to confirm device responsiveness

    3. Firmware enumeration: Query device firmware version and configuration details

    4. Access testing: Attempt default credentials or authentication bypass techniques

    5. Vulnerability mapping: Cross-reference discovered firmware versions against known CVEs


    ### Known Vulnerabilities


    Several unpatched or improperly mitigated vulnerabilities in Allen-Bradley products could allow unauthenticated attackers to:


  • Remote code execution: Execute arbitrary commands on the PLC
  • Configuration modification: Alter program logic or settings
  • Denial of service: Crash or reset the device
  • Information disclosure: Extract sensitive operational parameters

    • The criticality of these vulnerabilities is amplified by the fact that many industrial environments prioritize uptime over patching—a PLC controlling a water treatment system cannot simply be rebooted for monthly security updates.


    ## Who Is Behind This?


    U.S. intelligence agencies attribute the campaign to Iranian state-linked threat actors, likely operating under the umbrella of Iran's Islamic Revolutionary Guard Corps (IRGC) or associated cyber units. Iran has a documented history of targeting critical infrastructure:


  • 2013: Bowman Avenue Dam intrusion in New York
  • 2016: Saudi Aramco and other energy sector targeting
  • 2019-2020: Port and maritime infrastructure reconnaissance
  • 2021-2022: Power grid and water utility probing

    • The sophistication and targeting precision suggest nation-state resources rather than independent criminal activity. However, the reconnaissance phase we're currently observing is typically a precursor to either:


    1. Espionage: Long-term access for intelligence gathering

    2. Preparation for disruption: Pre-positioning for kinetic or cyber attacks during conflict escalation

    3. Leverage development: Compromising systems to create political or diplomatic pressure


    ## Implications for Organizations


    The implications of successful PLC compromise extend far beyond traditional cybersecurity concerns:


    Operational Impact: Compromise could lead to:

  • Unplanned shutdowns of critical services
  • Cascading failures across dependent systems
  • Loss of situational awareness for operators
  • Reduced ability to respond to crises

    • Public Safety: In worst-case scenarios:

  • Contaminated water reaching treatment systems
  • Power grid instability affecting hospitals or emergency services
  • Chemical release at industrial facilities
  • Transportation system disruption

    • Economic Damage: Extended outages could cost hundreds of millions of dollars in lost productivity and recovery efforts.


    National Security: Demonstrated capability to compromise critical infrastructure strengthens Iran's deterrence posture and creates leverage for future geopolitical negotiations.


    ## Recommendations for Critical Infrastructure Organizations


    Organizations operating Allen-Bradley PLCs should implement immediate protective measures:


    ### Immediate Actions (Next 30 Days)


  • Network audit: Identify all Allen-Bradley devices and their current exposure level
  • Firewall implementation: Ensure PLCs are NOT directly Internet-accessible; all access should go through authenticated gateways
  • Credential review: Change any default credentials; implement strong authentication where supported
  • Firmware inventory: Document current firmware versions and available patches

    • ### Short-Term Hardening (Next 90 Days)


  • Network segmentation: Isolate OT networks from IT networks using air gaps or monitored DMZs
  • Access controls: Implement role-based access and multi-factor authentication for administrative access
  • Monitoring deployment: Deploy intrusion detection systems (IDS) tuned for OT protocols
  • Incident response planning: Develop procedures for PLC compromise scenarios

    • ### Strategic Improvements


  • Vendor updates: Evaluate migration paths to newer, more secure platforms where feasible
  • Defense-in-depth: Implement multiple security layers (defense in depth) rather than relying on single perimeter controls
  • Supply chain assessment: Review relationships with integrators and maintain awareness of security updates
  • Exercise planning: Conduct tabletop exercises simulating PLC compromise scenarios

    • ## Conclusion


    The warning from CISA and the FBI reflects a serious and persistent threat. Iranian actors have demonstrated capability, intent, and sustained operational focus on critical U.S. infrastructure. Organizations cannot afford to treat their industrial control systems as non-critical from a security perspective.


    The good news: most of the recommended mitigations require operational discipline and architectural changes rather than advanced technology. The bad news: implementation requires sustained commitment and resources that many organizations struggle to maintain.


    For critical infrastructure operators, the time to act is now—before reconnaissance gives way to intrusion attempts.