editorially independent. We may make money when you click on links
to our partners.
Learn More
A new federal cybersecurity alert is raising alarms across critical infrastructure sectors, as Iranian-affiliated threat actors actively target programmable logic controllers (PLCs) in the United States.
The campaign, confirmed by multiple federal agencies, has already caused operational disruptions and financial losses — marking a notable escalation in cyber activity against industrial environments.
“The most notable aspect of this campaign is the attackers’ skill. They use the same engineering software and trusted connections that OT teams use daily, making it difficult to spot malicious activity,” said Dr. Süleyman Özarslan, co-founder of Picus Security and VP of Picus Labs in an email to eSecurityPlanet.
He added, “An even greater concern is that this shows a weakness in how systems are designed. If segmentation, access controls, and hardening are not strong enough, attackers can blend in with normal OT workflows, stay in the system, and disrupt industrial operations in ways that are harder to spot.”
Inside the PLC Attack Campaign
The joint alert from CISA, the FBI, NSA, and other federal agencies highlights a rapidly escalating threat to critical infrastructure, including energy and water sectors.
Unlike earlier campaigns that often relied on weak or default credentials, this activity reflects a shift toward more advanced tradecraft.
The actors are now using legitimate engineering tools to access PLCs, allowing them to blend into normal operations while directly interacting with industrial control processes — making detection more difficult.
This underscores the need to strengthen OT defenses and close persistent gaps between IT and OT security, particularly in visibility, access control, and monitoring.
At the center of this campaign is the use of trusted tools such as Rockwell Automation’s Studio 5000 Logix Designer to establish legitimate connections to PLCs.
By leveraging the same software used by engineers, attackers can embed malicious actions within routine workflows, complicating both detection and response.
Expanded Targeting Across Industrial Systems
The scope of targeting has also expanded beyond a single vendor to include multiple industrial protocols and ports, such as EtherNet/IP (44818), Modbus (502), and Siemens-related communications (102).
This broader approach indicates a more systematic effort to identify and exploit vulnerable industrial systems.
The use of Dropbear SSH further enables persistent remote access, suggesting an intent to maintain long-term footholds rather than execute short-term disruptions.
Systemic Exposure Driving Real-World Impact
Risk is driven less by a single vulnerability and more by systemic exposure.
Many PLCs remain directly accessible from the internet without proper segmentation or authentication controls, allowing attackers to gain access using legitimate tools with minimal resistance.
Once inside, attackers can extract PLC project files, such as .ACD files, which contain detailed logic and configuration data — effectively providing a blueprint of industrial processes.
They can then manipulate HMI and SCADA displays, falsifying operator data and potentially concealing ongoing malicious activity.
This combination of reconnaissance and operational manipulation is concerning, as it suggests the threat actors are not only seeking immediate disruption but also preparing for more targeted and potentially destructive actions.
How to Reduce OT Security Risks
As attacks targeting industrial control systems become more advanced, organizations should move beyond basic security measures and adopt a more layered, proactive approach.
Effective mitigations focus on reducing exposure, strengthening access controls, and improving visibility across OT environments.
- Remove PLCs from direct internet exposure and enforce secure remote access through segmented gateways with MFA.
- Implement strong network segmentation, including OT micro-segmentation and industrial DMZ architecture, to limit lateral movement.
- Harden engineering workstations and enforce role-based, just-in-time access controls for all PLC and OT system interactions.
- Disable unnecessary services and ports while enabling protocol-aware monitoring and deep packet inspection for industrial traffic.
- Continuously monitor for anomalous behavior, including unauthorized configuration changes, abnormal engineering activity, and new communication paths.
- Maintain secure offline backups of PLC logic and verify firmware and software integrity across all OT assets.
- Regularly test and validate security controls, including exercising OT-specific incident response plans to ensure effective detection and recovery.
By focusing on these measures, organizations can strengthen resilience while reducing exposure to these OT threats.
OT Environments Under Increasing Pressure
This campaign reflects a broader trend of increased targeting of operational technology as part of state-sponsored cyber activity.
For organizations, this reinforces that industrial systems are becoming a more common target and should be treated as a core part of the enterprise security strategy, with appropriate protections and oversight in place.
As organizations rethink how to secure these environments, some are turning to zero trust solutions to help control access and reduce risk across IT and OT systems.
