Iranian Groups Launch Coordinated Campaign Against Rockwell PLCs
Iranian-linked threat actors have launched a sophisticated campaign targeting thousands of Internet-exposed programmable logic controllers manufactured by Rockwell Automation across US critical infrastructure networks. The attacks, discovered in early April 2026, represent a significant escalation in nation-state targeting of industrial control systems that manage power generation, water treatment, and manufacturing facilities.
The campaign specifically focuses on Rockwell Automation's ControlLogix and CompactLogix PLC families, which are widely deployed across US critical infrastructure sectors. These controllers manage essential functions including power distribution, chemical processing, and water treatment operations. Security researchers identified the threat actors probing for vulnerabilities in Human Machine Interface (HMI) software and exploiting default authentication credentials that remain unchanged from factory settings.
The attackers are leveraging multiple attack vectors, including exploitation of legacy protocols like Ethernet/IP and Common Industrial Protocol (CIP) that lack built-in encryption. Intelligence agencies report the threat groups are conducting reconnaissance activities to map network topologies and identify high-value targets within power generation facilities and water treatment plants. The campaign appears coordinated with previous Iranian cyber operations against US infrastructure, suggesting state-sponsored backing.
Cybersecurity agencies have observed the attackers attempting to gain persistent access to operational technology networks by compromising engineering workstations that connect to both corporate IT networks and industrial control systems. This technique allows lateral movement from less-secured corporate networks into critical operational environments. The CISA Known Exploited Vulnerabilities catalog has been updated to reflect new attack patterns observed in this campaign.
The timing of these attacks coincides with heightened geopolitical tensions and follows a pattern of Iranian cyber operations targeting US critical infrastructure during periods of diplomatic strain. Previous Iranian campaigns have targeted similar industrial control systems, but the current operation shows increased sophistication in targeting specific PLC models and exploiting industrial protocol weaknesses.
Critical Infrastructure Sectors Face Widespread Exposure
The attack campaign affects thousands of Rockwell Automation PLCs deployed across multiple critical infrastructure sectors in the United States. Primary targets include electric power generation facilities, water and wastewater treatment plants, chemical manufacturing facilities, and oil and gas pipeline operations. Security scans reveal approximately 15,000 Rockwell PLCs with direct Internet exposure, making them accessible to remote attackers without requiring initial network compromise.
Specifically vulnerable are facilities running ControlLogix 5580, 5570, and 5560 series controllers, along with CompactLogix 5380 and 5370 models that maintain default factory configurations. These systems are particularly at risk when connected to corporate networks or when remote access capabilities are enabled for maintenance purposes. Many affected organizations operate in the energy sector, including regional power cooperatives and municipal utilities that rely heavily on Rockwell automation systems for grid management.
The threat extends beyond direct PLC targeting to include engineering workstations running RSLogix 5000 and Studio 5000 software used to program and monitor these controllers. Compromised engineering stations provide attackers with legitimate credentials and programming capabilities to modify control logic or disrupt operations. Water treatment facilities represent a particularly concerning target, as PLC manipulation could affect chemical dosing systems or filtration processes that ensure safe drinking water.
Small to medium-sized utilities face the highest risk due to limited cybersecurity resources and reliance on remote monitoring systems that increase Internet exposure. These organizations often lack dedicated operational technology security teams and may not have implemented network segmentation between corporate IT and industrial control systems. The Microsoft Security Response Center has issued guidance for organizations using Windows-based HMI systems that interface with these PLCs.
Immediate Response and Mitigation Strategies for Rockwell PLC Security
Organizations operating Rockwell Automation PLCs must implement immediate security measures to protect against ongoing Iranian cyber operations. The first critical step involves conducting comprehensive network scans to identify all Internet-exposed PLCs and removing unnecessary external connectivity. Network administrators should implement firewall rules blocking direct Internet access to PLC communication ports, particularly TCP port 44818 used by Ethernet/IP protocol and UDP port 2222 for EtherNet/IP implicit messaging.
Authentication hardening represents the most critical immediate mitigation. All default passwords must be changed on PLCs, HMI systems, and engineering workstations. Rockwell recommends implementing role-based access control using FactoryTalk Security software to manage user permissions and enforce strong authentication requirements. Organizations should disable unused communication protocols and services on PLCs, particularly legacy protocols that lack encryption capabilities.
Network segmentation provides essential protection by isolating operational technology networks from corporate IT systems and the Internet. Implement industrial firewalls or data diodes to control communication between network zones, allowing only necessary traffic for legitimate operations. Virtual private networks should replace direct Internet connections for remote maintenance, with multi-factor authentication required for all remote access sessions.
Monitoring and detection capabilities must be enhanced to identify suspicious PLC activity. Deploy industrial network monitoring tools capable of analyzing Ethernet/IP and CIP protocol traffic for anomalous commands or unauthorized configuration changes. Log all PLC programming activities and implement alerting for unexpected control logic modifications or unauthorized access attempts. Regular backup of PLC programs and configurations enables rapid recovery from potential compromise.
Organizations should establish incident response procedures specific to industrial control system compromises, including coordination with CISA and relevant sector-specific agencies. Conduct tabletop exercises simulating PLC compromise scenarios to test response capabilities and communication procedures. Implement change management processes requiring approval and documentation for all PLC programming modifications, with segregation of duties between operational and security personnel.
