Iranian APTs Expose 5,219 Rockwell PLCs – 75% Located in the United States, Threatening Critical Infrastructure
What Happened – Censys researchers identified 5,219 internet‑exposed Rockwell Automation/Allen‑Bradley PLCs (EtherNet/IP port 44818). The devices, largely MicroLogix and CompactLogix models, were found globally but 74.6 % reside in the U.S., many on cellular links (Verizon, AT&T). Iranian‑linked APT groups, including CyberAv3ngers, are actively probing and manipulating these OT assets, altering HMI/SCADA data and causing operational disruptions.
Why It Matters for TPRM –
- Exposed OT devices provide a low‑cost foothold for nation‑state actors targeting critical infrastructure.
- Third‑party vendors (Rockwell Automation) and their downstream integrators become indirect risk vectors for your organization.
- Failure to remediate can lead to service outages, safety incidents, and regulatory penalties.
Who Is Affected – Energy & utilities, water & wastewater, government facilities, manufacturing plants, and any organization that relies on Rockwell PLCs for process control.
Recommended Actions –
- Inventory all Rockwell/Allen‑Bradley PLCs and verify network exposure.
- Immediately block inbound EtherNet/IP (TCP 44818) from the public Internet; use VPN or air‑gap where possible.
- Apply latest firmware patches; retire legacy MicroLogix/CompactLogix units lacking support.
- Conduct threat‑intel matching against known Iranian APT IOCs; engage with CISA/FBI for guidance.
Technical Notes – The exposure stems from misconfigured firewalls/NAT that allow unauthenticated EtherNet/IP identification responses, leaking device model and firmware version. No specific CVE is cited; the risk is a configuration flaw amplified by outdated firmware. Source: SecurityAffairs