Internet-Exposed PLCs: How Iran Accessed US Critical Infrastructure

A joint advisory from the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command confirms that Iran-affiliated actors have been compromising internet-facing operational technology devices across U.S. critical infrastructure — including Rockwell Automation/Allen-Bradley PLCs - causing confirmed operational disruption and financial loss.

The advisory is significant. What it reveals about how PLC attacks actually happen is more significant still.

This was not a zero-day. It was an exposure problem.

When most people imagine an attack on a programmable logic controller, they picture something highly specialized: custom malware, deep protocol manipulation, or an adversary with rare ICS tradecraft. This campaign does not fit that picture.

According to Censys research, 5,219 Rockwell/Allen-Bradley hosts were internet-exposed at the time of the advisory, including 3,891 in the United States. A significant share were sitting on cellular carrier networks, suggesting field-deployed systems connected through cellular modems — assets that operators may not think of as "online" in the conventional sense, but that are reachable from anywhere.

This is not a story about a breakthrough exploit. It is a story about doors that were already open.

This campaign also did not begin in 2026. The same advisory ties this activity to a pattern that started in November 2023, when IRGC CEC-affiliated actors known as CyberAv3ngers targeted Unitronics PLCs and HMIs across U.S. water and wastewater systems, compromising at least 75 devices across multiple critical infrastructure sectors. The entry method in that campaign: default passwords or no passwords at all. Different vendor families, different targets, same underlying condition: internet-reachable OT with insufficient access control.

The exposure has been there for years. The targeting continues because it works.

How attackers found a path in

The first step was not breaking the controller. It was finding one that was reachable.

Censys notes that EtherNet/IP identity responses can reveal product family and firmware details without authentication. An attacker scanning for exposed Rockwell devices gets a detailed fingerprint of what they are looking at before attempting any interaction. That changes the economics of OT targeting. Instead of probing blindly and hoping, an adversary can identify the specific family of controller, assess the firmware version, and prioritize the most accessible or least-defended systems first.

From there, the path to access follows ordinary infrastructure - not exotic exploits.

Why legitimate tools are the weapon

The advisory and Censys analysis both indicate that actors used legitimate Rockwell software - including Studio 5000 Logix Designer - to establish accepted connections to victim PLCs.

That is the finding that matters most, and it shifts the conversation away from "Did they exploit a vulnerability?" toward a harder question: why were they able to use normal engineering paths from the internet at all?

In many environments, that path exists because the controller, the remote access infrastructure, or the engineering workstation around it is more exposed than operators realize. Studio 5000 is the tool engineers use to program and commission Rockwell PLCs. When an attacker reaches a PLC using Studio 5000 over a legitimate connection, traditional detection based on known malicious signatures or anomalous protocols has very little to work with. The session looks like an engineer doing their job.

Once access is established using legitimate tools, consequences become operational rather than merely technical. The advisory confirms that the activity included malicious interaction with project files and manipulation of data shown on HMI and SCADA displays. Even before logic is changed, the ability to alter what operators see can create immediate confusion on the plant floor, slow incident response, and push a control environment into unsafe or costly decisions.

Pathway attacks: the controller is the end target, not the entry point

The Censys data adds another layer. The same population of exposed hosts included significant co-exposure of services like VNC, Telnet, and Modbus. Censys identified at least one exposed Windows engineering workstation running the Rockwell toolchain among the observed infrastructure.

That is a reminder of something OT security teams know but do not always act on: the most dangerous asset is not always the controller. It may be the HMI, the remote desktop service, the engineering laptop, or the jump host that sits next to the controller and inherits far less scrutiny than it deserves.

The most useful way to think about PLC attacks is as pathway attacks. The controller is the end target, but the attack travels through ordinary things: remote connectivity, flat trust relationships, exposed management services, vendor tooling, and under-monitored engineering systems. In that framing, the latest campaign is unsettling precisely because it looks so normal. The attackers did not appear to need extraordinary capabilities. They needed open doors.

The architectural argument

The advisory's recommended actions are clear: remove PLCs from direct internet exposure, enforce MFA on remote OT access including cellular management paths, and segment engineering networks from corporate IT.

Those actions are correct. They are also reactive - responses to an exposure model that should not have existed in the first place.

The deeper issue is architectural. Engineering workstations should not be reachable from the public internet. Remote field assets should not depend on always-on connectivity without strong mediation. OT environments should not inherit internet-scale exposure while still operating on trust models built for isolated plants and closed networks.

Zeroport Fantom addresses the remote access layer directly. The connection does not run over IP. What crosses the boundary is pixels outbound - a display stream of the engineering environment - and mouse and keyboard commands inbound. Studio 5000 can be accessed remotely through a Zeroport connection. There is no network path between the remote operator and the PLC environment. An attacker who has compromised the remote operator's machine has no tunnel to traverse back into the plant network. A compromised vendor environment has no path to the field asset it services.

If a PLC is exposed like an IT asset but trusted like an OT asset, attackers do not need extraordinary capabilities to cause damage. They only need to behave like an engineer with the wrong intent. Removing the network path removes that option.

Book a live demo to see how Zeroport Fantom delivers hardware-enforced OT remote access with no network path into your plant environment.

‍