Iran-linked hackers disrupt operations at US critical infrastructure sites

At a glance:

• Iranian government-backed hackers are actively disrupting operations at multiple US critical infrastructure sites via targeted attacks on industrial control systems.
• The campaign, ongoing since at least March 2026, has compromised Rockwell Automation PLCs, causing operational disruption and financial losses across energy, water treatment, and government sectors.
• A joint advisory from six US agencies warns that over 5,000 exposed PLCs remain vulnerable, with 75% located in the US, urging immediate security measures.

The Threat Landscape: State-Sponsored Sabotage

The advisory issued Tuesday by a coalition of six US agencies—including the FBI, CISA, NSA, EPA, DOE, and US Cyber Command—exposes a sophisticated campaign orchestrated by an Iranian-affiliated advanced persistent threat (APT) group. These actors are leveraging industrial control systems (ICS) to inflict tangible damage on physical infrastructure, marking a shift from traditional cyber espionage toward disruptive sabotage. The timing aligns with heightened geopolitical tensions between the US and Iran, suggesting this is a retaliatory measure in the ongoing cyber conflict. The advisory emphasizes the "urgency" of the threat, indicating that the attackers are not merely probing defenses but actively manipulating industrial processes to cause operational failures. This represents a concerning evolution in state-sponsored cyber warfare, where digital intrusions translate into real-world consequences for civilian and industrial systems.

The Target: Industrial Control Systems Explained

At the heart of this campaign are programmable logic controllers (PLCs), unassuming devices typically the size of a toaster that serve as the nervous system for industrial automation. These specialized computers bridge the gap between software commands and physical machinery—controlling everything from chemical mixing valves in water treatment plants to robotic arms in manufacturing facilities. Iranian hackers are specifically targeting Rockwell Automation's Allen-Bradley PLCs, which are ubiquitous in US critical infrastructure due to their reliability and compatibility with legacy systems. The attackers exploit these devices by gaining unauthorized access to their programming interfaces, allowing them to alter operational parameters or shut down processes entirely. What makes PLCs particularly vulnerable is their long design lifespan—many remain in service for decades beyond their security support period—coupled with historically lax network isolation practices that leave them exposed to internet-based attacks.

Scale and Impact: From Digital Intrusion to Physical Harm

The sheer scope of exposed infrastructure is alarming. Security firm Censys identified 5,219 Rockwell PLCs accessible via the internet, with 75% located in the US—many in remote facilities where physical maintenance is infrequent. The attack infrastructure relies on a single compromised Windows workstation running Rockwell's engineering software, demonstrating how minimal resources can yield maximum disruption. For affected organizations, the consequences extend beyond mere downtime: compromised PLCs have caused financial losses through halted production, environmental damage from uncontrolled chemical processes, and safety risks to nearby communities. The advisory notes victims across government services, wastewater systems, and energy sectors, revealing the attackers' broad targeting strategy. This multi-sector approach suggests Iran aims to maximize psychological impact while testing US cyber defenses across critical infrastructure verticals.

Mitigation Imperatives: Closing the Exposure Gap

The joint advisory serves as a critical wake-up call for industrial operators, urging immediate action to secure PLCs against compromise. Key recommendations include implementing network segmentation to isolate industrial control systems from corporate IT networks, deploying intrusion detection systems specifically tuned for ICS traffic, and restricting remote access to engineering workstations. Organizations should also conduct thorough inventories of their PLC assets, particularly those manufactured by Rockwell Automation, and apply any available security patches. The agencies highlight that many compromised devices remain exposed due to misconfigured firewalls and default credentials—basic oversights that attackers readily exploit. This incident underscores a broader industry challenge: balancing operational accessibility with security, especially for legacy systems where modern security protocols may not be natively supported. As geopolitical tensions persist, such attacks are likely to intensify, making proactive security measures not just best practice but essential infrastructure resilience.