Search

Nearly 4,000 U.S. Industrial Devices Are Exposed to Iranian Cyberattacks

Cyber threats and incidents
By Evan Rowe
Credit: Rockwell Automation

Related

Share

What happened

Nearly 4,000 internet-exposed industrial devices in the United States are now part of the attack surface in an ongoing Iranian-linked campaign targeting critical infrastructure. U.S. federal agencies said Iranian state-backed hacking groups have been targeting Rockwell Automation and Allen-Bradley programmable logic controllers since March 2026, leading to operational disruptions and financial losses. The agencies said the activity included extraction of project files and manipulation of HMI and SCADA displays. Separate internet exposure data identified 5,219 such hosts worldwide responding to EtherNet/IP, with 3,891 of them located in the United States. The data also showed a notable concentration on cellular carrier networks, suggesting many of the exposed devices are field-deployed systems connected through cellular modems. 

Who is affected

The direct exposure affects U.S. organizations running internet-accessible Rockwell Automation and Allen-Bradley PLC devices, especially those tied to critical infrastructure and operational technology environments. The reported device exposure also suggests some of these systems are deployed in remote or field settings using cellular connectivity, which may complicate visibility and control. 

Why CISOs should care

This matters because the activity is targeting operational technology that can directly influence industrial processes rather than only corporate IT systems. The campaign also involves manipulation of HMI and SCADA displays and extraction of project files, which raises both operational and financial risk for affected organizations. 

3 practical actions

  1. Reduce internet exposure immediately: Place exposed PLCs behind a firewall or disconnect them from the public internet where possible. 
  2. Hunt for suspicious OT traffic: Review logs and network activity for signs of malicious behavior on OT ports, especially traffic originating from overseas hosting providers. 
  3. Tighten access controls on OT environments: Enforce MFA for access to OT networks, keep PLC devices updated, and disable unused services and authentication methods. 

For more news about security developments affecting industrial and critical infrastructure environments, click Cybersecurity to read more.

Previous article
Cybersecurity Leaders to Watch in Illinois Financial Services Industry
Next article
Dutch Hospitals Face Disruptions After Ransomware Attack on Software Provider ChipSoft
Founders, Analysts & Industry Voices

Cybersecurity Leaders to Watch in Illinois’ Hospitals & Healthcare Industry

Illinois’ healthcare sector includes some of the country’s most...
Cyber threats and incidents

New LucidRook Malware Used in Targeted Attacks on NGOs and Universities in Taiwan

What happened A new Lua-based malware family called LucidRook has...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.