Programmable logic controllers attacks have escalated sharply as Iranian-affiliated advanced persistent threat actors target internet-exposed industrial control systems across US critical infrastructure. On April 7, 2026, the FBI, CISA, NSA, EPA, DOE, and US Cyber Command’s Cyber National Mission Force issued a joint advisory warning of active campaigns exploiting PLCs manufactured by Rockwell Automation and Allen-Bradley, with attacks ongoing since March 2026.
Key Takeaways
- Iranian APT actors are actively compromising internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers across US critical infrastructure sectors.
- At least 75 devices have been compromised in a single campaign, with attacks causing operational disruptions and financial losses.
- CISA guidance requires immediate mitigation: remove PLCs from public internet, enable multifactor authentication, and lock physical mode switches to run position.
- Prior Iranian group Handala wiped approximately 80,000 devices at US medtech firm Stryker in March 2026 using compromised security tools.
- Attacks escalated following US-Israel military operations against Iran beginning February 28, 2026, and recent US threats regarding the Strait of Hormuz.
What Programmable Logic Controllers Attacks Reveal About Current Threats
The current programmable logic controllers attacks represent a dangerous shift in Iranian cyber tactics, moving beyond data theft toward direct operational disruption of critical infrastructure. The FBI assesses that Iranian-affiliated APT actors are targeting internet-exposed PLCs with intent to cause disruptions, including maliciously interacting with project files and manipulating data displayed on human machine interfaces and SCADA systems. Government Services and Facilities, Water and Wastewater Systems, and Energy sectors have all been targeted. The advisory notes that Iranian-affiliated APT targeting campaigns against US organizations have recently escalated, likely in response to hostilities between Iran and the United States and Israel.
This escalation follows the February 28, 2026 onset of US-Israel military operations against Iran, including the killing of Iran’s leader. On April 7, 2026, the same day the federal advisory was issued, US President Donald Trump posted social media threats demanding Iran open the Strait of Hormuz. The timing suggests these attacks are directly connected to geopolitical tensions, not isolated criminal activity.
Rockwell Automation and Allen-Bradley Systems Under Active Exploitation
Rockwell Automation and Allen-Bradley programmable logic controllers are the specific targets of these campaigns, making organizations relying on these systems particularly vulnerable. The attackers exploit internet-exposed devices to manipulate project files, extract sensitive configuration data, and disrupt operational displays. One campaign alone has compromised at least 75 devices, demonstrating the scope of active exploitation.
Prior to the current campaign, the Iranian group Handala—linked to government operations—wiped approximately 80,000 devices at US medtech firm Stryker in March 2026 using the company’s own security tools, specifically Intune, to distribute destructive code. That attack caused manufacturing, ordering, and shipping disruptions. The current PLC targeting campaign suggests Iranian operators are refining their approach, moving from broad device erasure to surgical control of industrial systems that regulate critical infrastructure.
CISA Mitigation Guidance for Organizations
CISA’s response includes specific, actionable steps organizations must take immediately. First, remove internet-exposed programmable logic controllers from public internet access entirely—this is the single most effective mitigation. Second, enable multifactor authentication on all administrative accounts accessing these systems. Third, review system logs for suspicious activity, particularly unauthorized changes to project files or HMI displays. Fourth, place physical-mode switches on Rockwell and Allen-Bradley PLCs in the run position to prevent remote mode changes.
These mitigations are not optional. The advisory’s urgency reflects the active nature of the threat—attacks are ongoing, and organizations that delay implementation risk compromise. Water utilities and energy operators should treat this as a critical priority, as disruptions to these sectors directly impact public safety and economic stability.
Historical Context: CyberAv3ngers and Escalating Iranian PLC Tactics
The current campaign echoes prior Iranian cyber operations against industrial control systems. In 2023 and 2024, the Iranian group CyberAv3ngers, linked to the Islamic Revolutionary Guard Corps (IRGC), exploited Unitronics PLCs in dozens of US water utilities, taking advantage of weak network configurations. Those attacks demonstrated Iran’s capability and willingness to target water infrastructure. The shift from Unitronics to Rockwell Automation systems, and from water-focused campaigns to broader critical infrastructure targeting, suggests Iranian operators are expanding their operational scope and adapting to defender responses.
This progression is alarming. Each campaign reveals improved targeting precision and broader sectoral reach. The current advisory covers government facilities, water systems, and energy infrastructure—essentially the backbone of US critical operations. Defenders cannot assume Iranian capabilities will remain static; the historical pattern suggests continued evolution and escalation.
Why Internet Exposure Remains the Vulnerability
The core vulnerability enabling these attacks is simple: programmable logic controllers that should never be exposed to the internet are accessible from it. Legacy industrial systems were often designed without security in mind, and many organizations have added internet connectivity for remote monitoring and management without implementing proper network isolation. This creates an open door for adversaries. Once a PLC is compromised, an attacker can manipulate the systems it controls—water treatment, power distribution, manufacturing—without triggering traditional cybersecurity alerts because the changes appear to come from legitimate administrative access.
Organizations often justify internet exposure by claiming it enables faster troubleshooting or reduces operational costs. The current campaign proves this calculus is broken. A few hours of downtime for proper network redesign is trivial compared to the operational disruptions and safety risks of a compromised PLC.
What happens if a programmable logic controller is compromised?
If a PLC is compromised, an attacker gains the ability to alter industrial processes without authorization. This could mean changing water treatment parameters, disrupting power distribution, or halting manufacturing. The attacker can also extract project files containing sensitive system configurations and intellectual property. Detection is difficult because the attacker typically uses legitimate administrative credentials or exploits protocol weaknesses, making malicious commands appear normal.
Can programmable logic controllers attacks be prevented entirely?
Complete prevention is impossible if devices remain internet-exposed, but risk can be drastically reduced through network isolation, multifactor authentication, and physical controls. Air-gapping PLCs from the internet—removing direct connectivity—is the most effective defense. For systems requiring remote access, organizations should implement secure VPN gateways with strong authentication rather than exposing devices directly. Regular security audits and log monitoring provide additional layers of detection and response capability.
How does this threat compare to previous industrial cyber incidents?
The current programmable logic controllers attacks differ from the 2023-2024 CyberAv3ngers campaigns in scope and sophistication. Earlier attacks exploited weaker Unitronics systems; current attacks target more widely deployed Rockwell Automation platforms. Earlier campaigns focused narrowly on water utilities; current operations span multiple critical sectors. This suggests Iranian operators are becoming more ambitious and better resourced. The involvement of multiple US agencies—FBI, CISA, NSA, EPA, DOE, and Cyber Command—in a single advisory underscores the severity federal officials perceive.
The immediate action required is clear: organizations operating Rockwell Automation and Allen-Bradley programmable logic controllers must disconnect internet-exposed devices today, not next quarter. The advisory is not a warning about future risk—it is a response to active, ongoing attacks. Delay increases the probability of compromise. Federal agencies have provided the roadmap; execution is now the responsibility of every organization operating critical infrastructure.
Edited by the All Things Geek team.
Source: Tom's Hardware
