Iranian‑Linked APT Targets Internet‑Exposed Rockwell/Allen‑Bradley PLCs in U.S. Critical Infrastructure
What Happened – Iranian‑affiliated APT groups are actively probing and compromising internet‑exposed Rockwell/Allen‑Bradley programmable logic controllers (PLCs) used in U.S. critical‑infrastructure environments. The campaigns have resulted in project‑file extraction, HMI/SCADA data manipulation, and operational disruptions across energy, water, and government facilities since March 2026.
Why It Matters for TPRM –
- OT devices are often managed by third‑party vendors; a compromise can cascade to your supply chain.
- Remote access to PLCs bypasses traditional IT controls, exposing gaps in vendor security posture.
- Ongoing disruptions translate to financial loss and regulatory scrutiny for downstream customers.
Who Is Affected – Energy & utilities, water & wastewater, government services, and any organization that relies on Rockwell/Allen‑Bradley PLCs supplied or maintained by third‑party OT service providers.
Recommended Actions –
- Verify that all PLCs are isolated from the public Internet or protected by dedicated firewalls.
- Confirm that vendors enforce MFA, patch PLC firmware promptly, and disable default credentials.
- Request logs of OT‑port traffic from suppliers and scan for IOC indicators shared in the joint advisory.
Technical Notes – Attack vector leverages internet‑exposed PLCs, likely exploiting known firmware vulnerabilities and weak authentication. Extracted data includes device project files; adversaries manipulate HMI/SCADA displays to cause false readings or shutdowns. Source: BleepingComputer