Nearly 3,900 US industrial devices exposed as Iranian-linked hackers target Rockwell PLCs

Federal agencies say Iranian-affiliated cyber actors are actively targeting internet-facing industrial controllers in the United States, and new internet scanning data suggests the exposed attack surface is much larger than many operators may realize. A joint advisory from CISA, the FBI, NSA, EPA, DOE, and US Cyber Command says the attackers have targeted Rockwell Automation and Allen-Bradley programmable logic controllers since at least March 2026.

The advisory says the activity has already caused operational disruption and financial loss. The FBI also identified cases where the attackers extracted project files and manipulated data shown on HMI and SCADA displays, which raises the risk well beyond simple reconnaissance.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Censys says 5,219 internet-exposed Rockwell and Allen-Bradley hosts responded globally to EtherNet/IP scans, and 3,891 of them were in the United States. That means about 74.6% of the global exposure sits in the US, making American industrial operators the largest visible target pool in this campaign.

What the US government says is happening

The federal advisory says the Iranian-linked actors are exploiting internet-facing PLCs in sectors that include critical infrastructure. The agencies tie the activity to escalating Iran-related cyber operations and say the intrusions likely reflect the broader regional conflict involving Iran, the United States, and Israel.

The advisory names two Rockwell device families as confirmed targets: CompactLogix and Micro850 controllers. It also says the actors have probed other operational technology protocols, including Modbus on port 502 and Siemens S7 on port 102, which suggests the campaign may expand beyond a single vendor footprint.

Importantly, the agencies do not describe this as a zero-day campaign. Instead, the advisory says the actors used legitimate engineering software to access exposed devices, which means poor exposure and weak access control appear to be the main problem.

Why the Censys numbers matter

Censys published its exposure analysis one day after the federal advisory. It says the 3,891 US hosts make up nearly three-quarters of the 5,219 Rockwell and Allen-Bradley devices it found exposed online worldwide.

The firm also says many of the exposed devices sit on cellular carrier networks, including Verizon Business and AT&T Mobility. That pattern strongly suggests many of these controllers are field-deployed systems using cellular modems for remote connectivity, which can make visibility and hardening more difficult.

Censys found especially large exposure on MicroLogix 1400 and CompactLogix families, with some firmware versions that appear old or end-of-sale. That does not prove those specific devices were breached, but it does show how wide the reachable surface is for actors scanning the public internet for exposed OT systems.

This follows the CyberAv3ngers playbook

The current campaign resembles the earlier CyberAv3ngers operation against Unitronics PLCs in US water and wastewater systems. In that case, CISA said Iran’s CyberAv3ngers group compromised at least 75 Unitronics devices between November 2023 and January 2024.

That earlier campaign showed how public-facing OT devices can become geopolitical pressure points. The new advisory suggests the same lesson still has not fully landed across industrial environments, especially where controllers remain directly reachable from the internet.

The difference now is scale and visibility. The federal agencies confirm real-world disruption, while Censys shows thousands of potential US targets still exposed online. Together, those two facts make this less of a niche OT story and more of a national infrastructure exposure problem. This last point is an inference based on the advisory and the exposure dataset.

Exposure and risk at a glance

Sources: Joint US advisory and Censys analysis.

What operators should do now

• Remove PLCs from direct internet exposure wherever possible. The joint advisory says organizations should disconnect them from the public internet or place them behind firewalls.
• Enforce MFA for remote OT access, including VPN access and cellular modem management interfaces. The agencies explicitly recommend stronger authentication for OT network access.
• Review logs for suspicious traffic on OT ports, especially from overseas infrastructure or unexpected remote administration paths. The advisory calls out malicious activity tied to exposed OT services.
• Disable unused services and keep PLC firmware and related software current. The advisory and Censys both point to exposure and aging deployments as compounding risk factors.

FAQ