The U.S. government on April 7 warned critical infrastructure companies that Iranian-linked advanced persistent threat (APT) groups are conducting “ongoing cyber exploitation” of internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) from Rockwell Automation/Allen-Bradley.Government officials said priority targets include critical infrastructure sectors such as energy, wastewater treatment, transportation, and telecommunications, along with the defense industrial base, federal contractors, and government mission-support systems.The joint critical infrastructure advisory was issued by a broad cross-section of federal and intelligence agencies, including the FBI, Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), and United States Cyber Command – Cyber National Mission Force (CNMF).Cybersecurity experts said teams should take the government’s advisory seriously and expect that, despite a fragile ceasefire, the cyberwar that’s been going on well before the joint U.S.-Israel attack on Feb. 28 will rage on.“Unfortunately, if this conflict continues to escalate, the world should expect attacks, not only against critical infrastructure, but also financial systems, supply chains, and cloud providers both electronically and physically,” said Morey Haber, chief security advisor at BeyondTrust.Haber cautioned that cyberattacks will not mirror military precision: they will exploit weakest links, especially identity, where one compromised credential can cascade into a systemic shock once the adversary has an electronic beachhead into an environment.“In this security professional’s opinion, I hope we can avoid the potential risks of full blown cyber warfare,” said Haber.Shane Barney, chief information security officer at Keeper Security, said the recent wave of cyberattacks targeting critical infrastructure in Western democracies represents a broader shift in how conflict plays out in the modern era. Barney said cyberattacks are no longer separate from geopolitical events; they are increasingly used alongside them to create pressure, disrupt essential services and influence outcomes without the need for physical confrontation.Barney said the recent reports and warnings of nation-state activity targeting industrial control systems highlight a structural reality that security teams have been grappling with for several years — the convergence of IT and OT has eliminated any meaningful separation between digital access and physical impact.“These attacks are not defined by novel exploitation techniques, but by the systematic identification and abuse of exposed systems, weak identity controls and persistent access pathways,” said Barney. “Internet-facing management tools, particularly those tied to legacy or poorly-segmented environments, create a predictable attack surface. When combined with automated scanning and AI-assisted reconnaissance, threat actors can continuously probe global infrastructure at scale, identifying misconfigurations in minutes rather than months.”Süleyman Özarslan, vice president of Picus Labs, and author of a recent blog on the motives of the Iranian-linked attackers, said the most notable aspect of this campaign is the attackers’ skill. They use the same engineering software and trusted connections that OT teams use daily, making it difficult to spot malicious activity.“For defenders, the main problem is exposure,” said Özarslan. “If PLCs can be accessed from the internet, attackers have a straightforward way into operational systems. An even greater concern is that this shows a weakness in how systems are designed. If segmentation, access controls, and hardening are not strong enough, attackers can blend in with normal OT workflows, stay in the system, and disrupt industrial operations in ways that are harder to spot."David Sequino, co-founder and CEO at OmniTrust, said Iranian-affiliated actors aren't just probing for data within our critical infrastructure — they are threatening the physical systems at the foundation of our daily lives."They’re targeting the systems that keep everyday life running, from water to energy to infrastructure. The real risk is physical," said Sequino. "For years, industrial controllers have relied on adding security after the fact, once a product has been designed, built and fielded. But when attackers can manipulate control systems or operator interfaces, they’re not just stealing information, they can change how physical systems behave."Sequino said when an adversary can manipulate a project file or a human-machine interface (HMI) to the control panels and dashboards that let operators interact with physical machinery, they effectively hijack the physical source of truth, causing physical consequences. While this advisory focuses on specific PLC hardware, Sequino said the methodology exposes a broader industrywide need to move beyond the “Bolt on” and “patch-and-pray” model and adopt trust lifecycle management (TLM) during the outset of any design cycle for any element in our critical infrastructure.“True resilience requires every device to maintain a verifiable, cryptographic identity from design, development, to the factory floor to decommissioning,” said Sequino. “In 2026, if any piece of hardware, firmware, software, user or site can't prove its own integrity it's a liability. Operators can no longer just lock the door; they must be able to protect the keys across the entire lifecycle of any and all devices that make up our critical infrastructure.”Louis Eichenbaum, federal CTO at ColorTokens, added, based on ongoing U.S. military actions involving Iran, there’s a high likelihood of continued retaliatory cyber activity from Iranian state actors and affiliated proxy groups aimed at causing widespread disruption and executing targeted intrusions.Eichenbaum said these operations will likely leverage proven, opportunistic techniques, including phishing campaigns that allow for credential theft and account takeover, exploitation of unpatched edge devices such as VPNs and firewalls, distributed denial-of-service attacks against public-facing services, and hack-and-leak or extortion campaigns designed to drive both operational and reputational impact.“There’s also a credible risk of opportunistic compromise of exposed operational technology and industrial control systems, particularly where those systems remain accessible from the internet,” said Eichenbaum.“These actors will continue to exploit well-known and frequently targeted weaknesses, including internet-exposed PLCs and OT management interfaces, weak or absent multi-factor authentication, particularly for privileged and remote access, unpatched known exploited vulnerabilities in edge infrastructure, and common identity risks such as credential reuse and password spraying.”Eichenbaum said teams need to take immediate steps to reduce exposure and strengthen resilience. Such steps include the following: remove or tightly restrict internet access to OT and ICS systems; enforce phishing-resistant multi-factor authentication; and implement granular microsegmentation within these environments to prevent an adversary from leveraging a compromised endpoint to move laterally and reach critical assets.In its advisory, the federal government recommends teams take the following steps:
- Remove PLCs from direct internet exposure via a secure gateway and firewall.
- Query available logs for the provided indicators of compromise (IOCs) in the corresponding time frames.
- Check available logs for suspicious traffic on the ports associated with OT devices, including 44818, 2222, 102, and 502, especially traffic originating from overseas hosting providers.
- Place the physical mode switch on the controller for Rockwell Automaton devices into run position.
- Contact the authoring agencies and Rockwell Automation for guidance if the team believes they were targeted.





