Iran-linked actors hitting OT

A programmable logic controller is the small industrial computer that tells a pump when to start, a valve when to open, or a conveyor when to stop. On April 7, 2026, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the National Security Agency, and the Department of Defense Cyber Crime Center warned that Iran-affiliated actors have been exploiting internet-facing versions of those devices in U.S. critical infrastructure. (cisa.gov) These are not office laptops. The advisory says the targeted equipment sits in sectors including energy, water, and government services, where a changed setting on one controller can interrupt a physical process instead of just crashing a screen. (cisa.gov, politico.com) The weak point is exposure. Federal agencies said the actors are going after operational technology devices that are reachable from the public internet, which is the industrial equivalent of leaving the control cabinet door open onto the street. (cisa.gov) The named hardware in this warning is Rockwell Automation’s Allen-Bradley line. The advisory says the attackers have targeted programmable logic controllers from that product family and, in some cases, disrupted their function. (cisa.gov, usatoday.com) This is not the first time Iran-linked groups have gone after industrial control systems. In November 2023, U.S. and allied agencies warned that Islamic Revolutionary Guard Corps-affiliated actors had exploited internet-connected programmable logic controllers in multiple sectors, including U.S. water systems. (cisa.gov) The newer warning says the activity has been identified since at least March 2026. Utility operators were already on edge enough that the North American Electric Reliability Corporation said on April 8 that it was actively monitoring the grid after the federal alert. (cisa.gov, utilitydive.com) What makes these boxes unusually dangerous is that they are often managed through the same remote paths people use for normal administration. If an attacker reaches the controller, the next useful target is often the login system around it: virtual private network access, remote desktop tools, or shared admin accounts that sit between the factory floor and the corporate network. (cisa.gov, cisa.gov) That is why the federal guidance is so specific about logs. The April 2026 advisory tells defenders to check traffic tied to industrial protocols and ports including 44818, 2222, 102, and 502, especially when it comes from overseas hosting providers rather than a plant engineer’s usual connection path. (cisa.gov) The most practical fix is boring and effective. CISA says to remove programmable logic controllers from direct internet exposure, put them behind secure gateways and firewalls, and, for Rockwell devices, set the physical mode switch to run so remote users cannot change logic as easily. (cisa.gov) For security teams, this means one alert is not enough. The useful signal is the combination of a strange remote login, a virtual private network session from an unusual host, and an operational-technology management event touching an internet-facing controller in the same time window. (cisa.gov, cisa.gov) That combination is what turns a nuisance scan into a plant-floor incident. A bad password on an email account is an information-technology problem, but a privileged login tied to a live controller can become a water-pressure problem or a power-dispatch problem within minutes. (cisa.gov, cisa.gov)