US agencies warn of Iranian cyberattacks on internet-facing PLCs

Federal agencies said on April 7, 2026, that Iranian-affiliated cyber actors have been exploiting internet-facing operational technology (OT) devices across the U.S. The infrastructure focuses specifically on programmable logic controllers (PLCs) from Rockwell Automation and Allen-Bradley.

What happened

According to the joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and other governing bodies, the attackers used overseas-based IP addresses to reach exposed PLCs and, in some cases, established accepted connections with legitimate engineering software rather than relying on a flashy zero-day exploit. Officials said the activity affected sectors including government services and facilities, water and wastewater systems, and energy, and that some incidents already caused operational disruption and financial loss.

The advisory also states that the actors interacted with project files, manipulated Human-Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) display information, and, in some cases, deployed tools to maintain remote access, raising concerns that relatively simple but exposed OT environments can be disrupted without highly sophisticated tradecraft.

What was said

According to the advisory Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure, “The authoring agencies observed Iranian-affiliated APT actors using several overseas-based IP addresses to access internet-facing Rockwell Automation/Allen-Bradley-manufactured PLCs [T0883]. The actors used leased, third-party hosted infrastructure with configuration software, such as Rockwell Automation’s Studio 5000 Logix Designer software, to create an accepted connection to the victim’s PLC. Targeted devices include CompactLogix and Micro850 PLC devices.”

Why it matters

A recent Paubox report found that 28% of email-related healthcare breaches reported in 2025 came from vendor and business associate email exposure, a statistic that shows how often serious cyber incidents grow out of ordinary trust relationships and preventable exposure rather than highly novel attack methods.

The same pattern ties CISA’s November 2023 Unitronics alert to the April 2026 warning on Iranian-affiliated exploitation of Rockwell and Allen-Bradley PLCs. In the 2023 case, CISA said attackers were actively exploiting Unitronics PLCs used in water and wastewater systems and specifically urged operators to remove those devices from open internet exposure, require MFA for remote access and changing default passwords, including ensuring that the default 1111 password was not still in use.

NIST separately records that Unitronics VisiLogic used a default administrative password vulnerability that could allow an unauthenticated attacker with network access to take administrative control. By April 2026, federal agencies were warning that the same broader logic had matured into a wider campaign against internet-facing PLCs across critical infrastructure.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

What is HMI and SCADA display information?

HMI and SCADA display information is the data shown on industrial control system screens that operators use to monitor and manage machines, processes, and infrastructure.

What are programmable logic controllers?

Programmable logic controllers are industrial computers that monitor inputs and control physical processes such as pumps, valves, motors, and other machinery.

What is an OT environment?

An OT environment is the hardware, software, and networked systems used to run, monitor, and protect physical operations in places such as factories, utilities, water systems, and energy facilities.

Why is network access not simply a singular attack mechanism?

Network access is not simply a singular attack mechanism because it can enable multiple stages of compromise, including reconnaissance, credential abuse, remote control, persistence, data manipulation, and disruption of physical operations.