Iranian threat actors targeting Rockwell Automation PLCs: 4,000 internet-exposed devices in critical infrastructure scope
Iranian-linked cyber operators have mapped nearly 4,000 internet-exposed Rockwell Automation programmable logic controllers across U.S. critical infrastructure. This reconnaissance indicates preparation for potential disruptive attacks against operational technology networks.
Affected
Iranian state-sponsored actors have conducted systematic reconnaissance against U.S. critical infrastructure by identifying nearly 4,000 internet-exposed Rockwell Automation PLCs. This campaign represents a significant shift in targeting strategy: rather than focusing solely on IT networks or perimeter systems, threat actors are directly mapping operational technology devices that should not be internet-accessible. The sheer scale of exposed devices suggests either widespread misconfiguration across multiple sectors or deliberate exposure for remote management purposes.
The technical implication is severe. Programmable logic controllers directly control physical processes in power generation, water treatment, and manufacturing. Unlike traditional IT systems where compromise may remain undetected, PLC compromise can result in immediate physical damage, safety incidents, or infrastructure disruption. Rockwell Automation devices remain high-value targets due to their prevalence in U.S. critical infrastructure; compromise of a single PLC in a power generation facility or industrial site could trigger cascading failures. The reconnaissance phase observed here suggests Iranian operators are building a targeting list for follow-on exploitation operations.
Defenders and asset owners face an immediate operational problem. The presence of PLCs on the public internet indicates either network segmentation failures or intentional exposure. Critical infrastructure operators should conduct immediate asset discovery surveys to identify internet-exposed control systems, then implement network isolation strategies. This incident demonstrates that many organisations have not internalised the core principle of OT security: operational technology should not be internet-routable under any circumstance. Organisations operating Rockwell equipment should assume reconnaissance activity is ongoing and prioritise isolation of these devices behind properly configured industrial demilitarised zones.
The broader implication suggests Iranian cyber operations have moved from disruptive campaigns like STUXNET-era operations to more systematic, reconnaissance-driven approaches. Building and maintaining a database of exploitable critical infrastructure assets allows for opportunistic strikes during geopolitical tension. This campaign also reflects a maturation in how state actors approach infrastructure targeting: rather than developing zero-days for specific PLCs, they are identifying the easiest vector first, exploiting widespread configuration weaknesses. The fact that nearly 4,000 devices met exposure criteria indicates this is not a rare edge case but a systemic defence gap.
Sources