PLC Systems Under Attack

A programmable logic controller is the small industrial computer that opens a valve, starts a pump, or trips a breaker when a sensor reading crosses a limit. In a water plant or power site, it is the box that turns software commands into physical motion. (cisa.gov) The new warning says Iranian-affiliated hackers are going after those boxes when they are reachable from the public internet. The advisory says the activity has already disrupted programmable logic controllers in U.S. government, water, wastewater, and energy organizations. (cisa.gov) The target is not office email or payroll software. The target is operational technology, which is the layer of computers that directly runs machines, the way a thermostat runs a furnace instead of just reporting the room temperature. (cisa.gov) The agencies say the attackers have been tampering with project files inside Rockwell Automation Allen-Bradley controllers. They also manipulated what operators saw on human machine interface and supervisory control and data acquisition screens, which are the dashboards staff use to watch pumps, tanks, and switches. (cisa.gov) That matters because a false screen can be as dangerous as a broken motor. If an operator sees a normal reading on the display while the underlying controller has been changed, the plant can keep running in the wrong state until equipment fails or service stops. (cisa.gov) This is not the first time U.S. agencies have tied Iranian actors to exposed industrial devices. In December 2023, CISA said Islamic Revolutionary Guard Corps-linked operators using the name CyberAv3ngers compromised internet-exposed Unitronics controllers, including devices at U.S. water and wastewater facilities, by using default passwords. (cisa.gov) The pattern is simple and ugly: find a controller that was never meant to sit naked on the internet, log in through a weak setting, and change the machine from far away. The April 7, 2026 advisory says defenders should remove programmable logic controllers from direct internet exposure and put them behind a secure gateway and firewall. (cisa.gov) The agencies also called out specific network ports to inspect, including 44818, 2222, 102, and 502. Those ports are doorways used by industrial protocols and remote access services, and the advisory says suspicious traffic from overseas hosting providers deserves immediate review. (cisa.gov) One detail in the warning is Dropbear secure shell, a lightweight remote login tool often used on embedded devices. If a controller or adjacent device still has Dropbear enabled with old credentials or default settings, it gives an attacker a ready-made maintenance tunnel into the plant. (cisa.gov) For Rockwell controllers, the agencies gave one unusually physical step: put the mode switch in Run position. That switch can block remote program changes on some models, which turns a software problem into something that requires a person standing in front of the cabinet. (cisa.gov) The agencies behind the warning were the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the National Security Agency, and the Department of Defense Cyber Crime Center, and they published it on April 7, 2026. For any city, county, or utility district that runs pumps, lift stations, substations, or building controls, this is a same-week isolation and audit job, not a next-quarter paperwork exercise. (cisa.gov)