The recent warnings from multiple U.S. agencies, including the FBI and CISA, have highlighted a significant cybersecurity threat targeting Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs). The joint advisory, released on April 7, 2026, underscores the active targeting of these devices by Iranian-affiliated advanced persistent threat (APT) actors. The focus on industrial systems crucial to national infrastructure has raised alarm.
Targeting Critical Infrastructure
Rockwell Automation’s PLCs are integral to various critical infrastructures, such as water treatment facilities, energy sectors, and government operations. The advisory, labeled AA26-097A, confirms this threat as an ongoing concern, posing substantial risks to operational technology (OT) environments across the United States and globally. The attackers are associated with the Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) and operate under several aliases.
Since November 2023, this group has been linked to breaches involving at least 75 Unitronics PLCs in U.S. water and wastewater facilities, as noted in a previous CISA advisory. The recent shift to targeting Rockwell devices marks a significant escalation, with activities traced back to at least March 2026.
Exposed Devices and Attack Strategies
Censys researchers have discovered 5,219 internet-exposed hosts that identify as Rockwell Automation/Allen-Bradley devices, revealing the full scope of potential targets. A staggering 74.6% of these are located in the United States, translating to 3,891 vulnerable hosts. Other countries like Spain, Taiwan, and Italy also report significant exposures.
The threat actors are exploiting legitimate engineering software, Studio 5000 Logix Designer, to access these PLCs, allowing them to manipulate critical systems undetected. This campaign includes probing additional OT protocols, suggesting an expansion of their target range across various platforms.
Vulnerabilities and Mitigation Measures
Almost 49.1% of the exposed devices are linked through Verizon Business cellular modems, with AT&T Mobility accounting for another 13.3%. These connections, often utilized in pump stations, electrical substations, and municipal facilities, highlight a significant deployment risk.
Censys also reports significant co-exposed services that broaden the attack surface, including VNC services appearing on 771 instances, and Telnet and Modbus on numerous others. These vulnerabilities align with the malicious behaviors outlined in the advisory AA26-097A.
Organizations are urged to take immediate action to mitigate these risks. This includes removing direct internet exposure of Rockwell/Allen-Bradley PLCs, switching devices to secure modes, and disabling vulnerable services. Implementing multi-factor authentication and updating firmware are also recommended. Reviewing inbound traffic from known operator IPs is critical to ensure security.
For continuous updates, follow us on Google News, LinkedIn, and X, and set CSN as a preferred source in Google.
