U.S. critical infrastructure operators are facing an active and ongoing cyber threat campaign attributed to Iranian state-aligned actors. Recent investigations indicate that thousands of internet-exposed industrial control system (ICS) devices are being actively targeted, with confirmed cases of compromise, operational disruption, and attempted destructive activity. This activity is mostly oriented around programmable logic controllers (PLCs), an important system for a wide range of industrial activities. Investigators report that approximately 3,800–4,000 U.S.-based industrial devices, largely Rockwell Automation / Allen-Bradley PLCs, are currently exposed to the public internet and susceptible to exploitation. These devices represent a significant portion of globally exposed PLC infrastructure and are concentrated across critical sectors including energy, water and wastewater, oil and gas, and government services.

Exploitation activity targeting these brands of PLC has been linked to several Iranian APT groups known to be associated with Iran’s Islamic Revolutionary Guard Corps. The campaign attacking PLCS is known to have escalated in March 2026 and aligns with broader geopolitical tensions, suggesting a coordinated effort to enable disruptive or retaliatory cyber operations against U.S. infrastructure. The primary attack vector involves direct exploitation of internet-facing PLCs. Adversaries are scanning for exposed devices and leveraging remote access services and industrial protocols such as EtherNet/IP to gain initial access. Once access is obtained, observed post-compromise activity includes extraction of PLC project files and sensitive configuration data, manipulation of Human-Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) systems, and impairment of process control logic. These manipulations have resulted in real-world operational impacts, including forced transitions to manual operations, system downtime, and financial losses. In some cases, threat actors have attempted to deploy destructive “wiper” malware, indicating an intent to cause irreversible damage to systems and data.

Attacks on PLCs pose significant threat to industrial operations in the US at large. Beyond this brand in particular, investigators have identified tens of thousands of additional PLCs potentially targetable by Iranian APTs in the future, especially with the addition of AI-assisted workflows that significantly reduce the barrier to entry for less sophisticated actors. Warnings from federal authorities in the US make it clear that this activity is capable of producing significant disruption within the United States. Any potentially vulnerable organization should take steps to reduce its potential vulnerability. Investigators recommend removing PLCs and other control devices from direct internet exposure, enforcing strong authentication mechanisms including multi-factor authentication for remote access, and implementing strict network segmentation between IT and OT environments. Given the observed use of destructive techniques, incident response plans should also account for potential data loss and operational outages, including maintaining offline backups and tested recovery procedures.