This morning, six U.S. federal agencies issued an urgent joint advisory: Iranian-affiliated hackers have been actively disrupting programmable logic controllers across American energy, water, and government facilities since at least March 2026. Some of the victims experienced operational disruption and financial loss. The attacks are ongoing.
This is not a hypothetical threat scenario. This is not a warning about vulnerabilities that could be exploited. PLCs controlling real industrial processes have already been tampered with. SCADA displays have been manipulated. Operations have been interrupted. And the agencies - FBI, CISA, NSA, EPA, DOE, and Cyber Command - used the word "urgently."
The question every OT security manager and CISO at a utility, energy operator, or government facility should be asking right now is not whether their organization could be targeted. The question is whether their PLCs are visible to anyone on the internet. Because that's exactly how these attacks started.
What the Advisory Actually Says
According to CISA advisory AA26-097A published today, Iranian-affiliated APT actors have been using overseas-based IP addresses to access internet-facing Rockwell Automation/Allen-Bradley PLCs - specifically CompactLogix and Micro850 devices. They connected using legitimate configuration software - Rockwell's own Studio 5000 Logix Designer - which means the initial access didn't require breaking encryption or defeating a security control. It required finding a device that was reachable from the internet and connecting to it.
Once connected, the actors manipulated project files and altered what operators saw on their HMI and SCADA displays. The advisory also flags that the actors appear to be scanning ports associated with other OT vendors' protocols - including Siemens S7 - suggesting the campaign may extend beyond Rockwell devices.
The targeted sectors include energy, water and wastewater systems, and government services and facilities. This is the same threat actor lineage - affiliated with Iran's IRGC - responsible for a 2023 campaign under the "CyberAv3ngers" persona that compromised at least 75 Unitronics PLCs across U.S. utilities. That earlier campaign relied on a different device and a different entry vector (default password "1111" on internet-exposed Unitronics Vision Series controllers). Today's campaign targets a different manufacturer and uses legitimate software to establish connections - a more operationally sophisticated approach.
The escalation began in March 2026, following the onset of U.S.-Israel strikes against Iran. It reflects a documented pattern: Iranian cyber operations against U.S. critical infrastructure intensify during periods of geopolitical tension, targeting operational technology as a pressure lever.
The Perimeter Already Failed
Every ICS security conversation eventually arrives at the same uncomfortable question: how did these devices end up on the internet in the first place?
The honest answer is that it happened gradually, then all at once. Remote monitoring requirements. Vendor access for maintenance. Industry 4.0 connectivity initiatives. IT/OT convergence projects. Each decision made sense in isolation. Collectively, they opened pathways between internet-reachable systems and industrial controllers that were designed in an era when "network security" meant a locked cabinet.
Legacy PLCs - and most operational PLCs are legacy by any reasonable definition - were not built for the environment they now operate in. They run proprietary protocols with no native encryption. They cannot install security agents. Many cannot be patched without taking production offline. The Rockwell/Allen-Bradley devices targeted in today's advisory were apparently accessible using default configuration software with insufficient access controls. That's not a Rockwell problem specifically. It's a category-wide reality across industrial manufacturers.
Firewalls and network segmentation are the conventional response, and they matter. But firewalls protect network boundaries, not individual assets. Once an attacker is inside the boundary - through a phishing email, a compromised vendor credential, an unpatched edge device - flat or lightly segmented OT networks offer limited resistance to lateral movement toward the controllers at the center of operations. The Iranian actors in today's advisory were not using sophisticated exploits. They were using legitimate software to reach devices that shouldn't have been reachable. The attack surface was the exposure itself.
The vulnerability picture makes the patching option largely theoretical. According to Dragos' 2026 OT/ICS Cybersecurity Year in Review - covering 2025 incident data - 26% of ICS vulnerability advisories contained no patch or mitigation from vendors. For a quarter of disclosed vulnerabilities, operators have no remediation path even if they want one. The industry has a structural patching problem that predates any Iranian campaign.
Why Traditional ICS Security Approaches Fall Short
The conventional toolkit for OT security - firewalls between IT and OT zones, air-gapping where possible, network-based segmentation via VLANs - was designed for a threat model that assumed attackers would be external and would need to defeat a perimeter. That model has three problems that today's advisory makes concrete.
Air-gapping doesn't hold. Business requirements inevitably create connectivity. Remote access for vendors, integration with business systems, cloud connectivity for monitoring - each one punches a hole in what was supposed to be a physical barrier. Shadow IT connections emerge outside security visibility because operational teams need functionality that security policy doesn't provide.
Firewall rule sets accumulate exceptions. Every legitimate business need that requires cross-boundary communication becomes a firewall rule. Over time, those rules accumulate, conflict, and create invisible attack paths that no one fully understands. An ICS security audit finding on firewall complexity is not an abstract concern - it's a description of actual lateral movement opportunities.
Network-based segmentation doesn't protect individual assets. Even well-segmented OT networks group multiple devices into the same zone. Compromise of any device in a zone opens access to all devices in that zone. For PLCs specifically, zone-level protection is too coarse to prevent the kind of targeted manipulation described in today's advisory.
The fundamental problem is that traditional ICS security protects the network path to assets rather than the assets themselves. When the path is reachable - as it clearly was for the Iranian actors targeting Rockwell PLCs - there is nothing between the attacker and the controller except whatever authentication the controller itself provides, which is often inadequate.
The Alternative: Make the PLCs Invisible
The most effective defense against this specific attack pattern is to eliminate the exposure entirely. Not by redesigning the network. By wrapping the assets themselves in a security boundary that makes them unreachable to unauthorized parties, regardless of how those parties gained network access.
This is what Zero Trust architecture means in an OT context, and it's meaningfully different from what most Zero Trust conversations address. Enterprise Zero Trust focuses on identity-based access for users and cloud workloads. OT Zero Trust has to work with devices that have no identity stack, can't run agents, can't tolerate configuration changes, and can't be taken offline for maintenance windows.
The architectural approach that works for these constraints is an overlay model: a software-defined security boundary deployed on top of existing infrastructure, wrapping critical OT assets independently of the underlying network topology. The key capabilities this model delivers:
Agentless protection. A Zero Trust Gatekeeper deployed inline with the PLC enforces access policies without requiring any modification to the controller itself. The device doesn't know it's protected. The network doesn't change. IP addresses, VLANs, and firewall rules remain untouched.
Asset-level invisibility. Protected assets become unreachable to any user or system not explicitly authorized. The device doesn't respond to scans. It doesn't accept connection attempts from unknown sources - including the legitimate Rockwell configuration software being used in today's campaign. The attack surface shrinks from "anything that can reach this network segment" to "only verified, authorized identities."
Lateral movement containment. Even if an attacker gains a foothold elsewhere on the network - through a phishing attack, a compromised workstation, or a vulnerable edge device - OT assets protected in Virtual Chambers are not reachable through lateral movement. The chamber enforces least-privilege access at the application layer, independently of network-layer controls.
Encrypted communication for legacy protocols. Industrial protocols like Modbus, DNP3, and EtherNet/IP have no native encryption. An overlay architecture can encrypt traffic at the session layer without modifying the protocol or the device. The fact that today's advisory flags port 502 scanning - Modbus - underlines why protocol-level encryption matters for devices that can't implement it natively.
The result is an OT environment where the PLCs are, in effect, invisible to the threat actors described in today's advisory. They cannot be reached through the internet. They cannot be reached through lateral movement from a compromised IT workstation. The only path to them runs through explicit, identity-verified authorization - even for the legitimate configuration software that the Iranian actors were using to connect.
What to Do Today
The advisory includes CISA's standard mitigation guidance: disable unused ports, require authentication for remote configuration changes, segment OT networks from IT and internet access, and monitor for unauthorized access attempts. These are correct and necessary, and if your organization hasn't implemented them, start there.
But the structural gap the advisory exposes - internet-accessible PLCs in production environments - requires more than a checklist. It requires changing the fundamental assumption that network boundaries are sufficient protection for industrial assets.
The specific steps worth taking now:
Inventory your internet-accessible OT assets. CISA offers free assessments to critical infrastructure operators. Many organizations don't have accurate visibility into which OT devices are reachable from outside their network. Start with an honest inventory. If you're a water, energy, or government facility operator, assume you have exposure until you've verified otherwise.
Don't limit your scope to Rockwell devices. Today's advisory notes that actors appear to be scanning ports associated with Siemens S7 PLCs as well. The targeting appears opportunistic across OT vendors, not manufacturer-specific.
Prioritize your highest-consequence assets. Not every PLC carries the same operational risk. The controllers managing critical process steps - water treatment chemistry, power distribution switching, fuel handling - represent a different risk level than monitoring-only devices. Protect the highest-consequence assets first.
Evaluate your lateral movement exposure. Even if your PLCs aren't directly internet-accessible, ask how many steps an attacker would need to traverse from a compromised IT workstation to your OT network. If the answer is two or fewer - and for most organizations with any IT/OT convergence, it is - that's your actual attack surface.
Deploy overlay protection where agents aren't an option. For legacy PLCs and SCADA systems that cannot run agents or tolerate configuration changes, an inline agentless approach is the only path to Zero Trust protection without operational disruption.
The joint advisory ends with a standard resource list. What it can't provide is the architectural posture that prevents the next advisory from describing your organization as one of the victims. That requires treating OT assets not as protected by the network around them, but as assets that need protection that doesn't require them to do anything at all.
Zentera's Virtual Chamber architecture protects OT environments including PLCs, SCADA systems, HMIs, and legacy ICS devices - agentlessly, without network redesign, and without production disruption. See how it works
Sources
- CISA Advisory AA26-097A - "Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure" - April 7, 2026 https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a
- CISA Advisory AA23-335A - "IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities" - Originally December 1, 2023; updated December 18, 2024 https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
- CyberScoop - "Iranian hackers launching disruptive attacks at U.S. energy, water targets, feds warn" - Tim Starks, April 7, 2026 https://cyberscoop.com/iranian-hackers-cyberattacks-us-energy-water-infrastructure-plc-scada-warning/
- Dragos - "2026 OT/ICS Cybersecurity Year in Review" - February 17, 2026 https://www.dragos.com/blog/dragos-2026-ot-cybersecurity-year-in-review
