Introduction
In April 2026, CISA released a cybersecurity advisory warning that Iranian-affiliated APT actors are exploiting internet-facing operational technology devices, including Rockwell Automation/Allen-Bradley PLCs, across U.S. critical infrastructure.
At first glance, it may look like a highly sophisticated attack, however one may be surprised how simple their attack approach is.
The advisory does not describe the use of zero-day exploits or custom malware. Instead, the observed activity focused on internet-facing OT devices, exposed PLC connections, open ports, and improperly secured remote access tooling. In many cases, attackers are gaining access to systems that are directly exposed to the internet and lack basic security controls. The issue is not that these systems are being broken into. The issue is that many of them were never adequately secured in the first place. This becomes more serious when you consider what these systems do. PLCs control physical processes in industries such as water, energy, manufacturing, and transportation. When attackers gain access to these systems, the consequences can extend beyond data loss and IT disruption to operational outages, safety concerns, and service interruptions. That is why this advisory matters. It demonstrates how attackers are successfully targeting critical systems by exploiting basic security gaps that many organizations still struggle to address.
What’s Actually Happening
The advisory outlines a campaign focused on industrial control systems, specifically PLCs used in operational environments. Rather than using complex intrusion methods, attackers are identifying systems that are already accessible and interacting with them in ways that resemble normal engineering activity.
The threat actors begin by “using several overseas-based IP addresses to access internet-facing Rockwell Automation/Allen-Bradley-manufactured PLCs.” While Rockwell devices were specifically referenced, the broader concern applies to internet-exposed industrial control systems as a whole. Once a device is identified, they connect using legitimate vendor tools, often the same ones engineers use during normal operations. From there, they can interact with the system as if they were authorized users.
This is what makes the activity difficult to spot. It does not always look like a traditional attack. It can look like routine access unless you are actively monitoring for it.
Once inside, attackers can make changes that directly impact operations. This can include modifying control logic or altering what operators see through HMI and SCADA systems. Even small changes in these areas can create confusion, reduce visibility, or lead to incorrect decisions during critical moments.
What You Should Do
The advisory makes one thing clear. These attacks are succeeding not through advanced techniques, but through basic exposure and inadequate controls.
To prevent similar attacks to your organization your response does not need to be overly complex, but it must be intentional.
Step 1: Identify Internet-Exposed OT Systems
The first step is to determine whether any industrial systems in your environment are accessible from the internet. According to the advisory, Iranian-affiliated actors are actively scanning for and identifying internet-exposed PLCs, then leveraging that access to interact directly with the devices. In many environments, this exposure is not intentional. It often stems from misconfigured firewall rules, temporary remote access that was never removed, or legacy systems that were never revisited after deployment.
If a PLC or control system is reachable from outside your network, it should be treated as a priority issue and corrected immediately. These systems were not designed to be publicly accessible and leaving them exposed significantly lowers the barrier to attack.
Step 2: Strengthen and Control Remote Access
Once exposure is addressed, the next focus should be on how access is managed. The advisory highlights that attackers are using legitimate engineering tools to connect to PLCs and operate within the environment as if they were authorized users. That means simply having authentication in place is not enough if access is overly broad or poorly controlled.
Remote access should be routed through secure, controlled entry points, such as VPNs with strong authentication. Where supported, organizations should also consider implementing multi-factor authentication (MFA) to reduce risk through compromised credentials. Access should also be limited to users and systems that require it. Broad or persistent access creates unnecessary risk, especially in environments where engineering tools can directly modify control logic.
Step 3: Improve Visibility into PLC Activity
Visibility is another area that often falls short. The advisory notes that attackers can modify PLC logic and even alter what operators see in HMI and SCADA systems. Without monitoring, these changes can go unnoticed until they affect operations.
Even basic visibility can make a significant difference. Knowing when a PLC is accessed, who is connecting, and whether logic or configuration changes are being made provides a baseline for identifying abnormal behavior. Without that baseline, malicious activity can blend in with normal operations.
Step 4: Segment IT and OT Networks
Network design also plays a key role in risk reduction. Industrial systems should not reside on flat networks or be freely accessible from corporate environments. Segmentation limits exposure and ensures that even if one part of the network is compromised, it does not automatically grant access to critical control systems.
The advisory ultimately reinforces a familiar point. These are not new problems, and they do not require new solutions. The gap lies in consistent implementation. Organizations that take the time to reduce exposure, control access, and improve visibility are significantly better positioned to defend against this type of activity.
Conclusion
This advisory highlights a pattern that persists across different environments. The most impactful incidents are not always the result of highly sophisticated attacks. They often stem from systems that were never secured to reflect how they are used today.
PLCs and other control systems were originally designed to operate in isolated and controlled environments. As connectivity has increased, many of these systems have been integrated into broader networks without the controls needed to protect them. Over time, that gap between design and deployment has created opportunities that attackers are now actively exploiting.
What makes this situation more concerning is how little effort is required to take advantage of it. The advisory makes it clear that attackers are not relying on complex exploits or custom malware. Instead, they are identifying exposed systems and interacting with them using legitimate tools and normal operational methods. In many cases, the activity blends in with routine engineering work, which makes detection more difficult.
The key takeaway is that OT security is not just about keeping attackers out. It is also about controlling and monitoring access to critical systems. When threat actors can use legitimate engineering tools to interact with PLCs, suspicious activity may appear routine. Organizations need visibility into system access and configuration changes to identify misuse before it impacts operations.
Organizations that rely on industrial control systems should take this advisory as an opportunity to reassess their exposure. Start by identifying internet-facing OT assets, reviewing remote access pathways, validating segmentation between IT and OT networks, and ensuring there is visibility into PLC and engineering activity.
The threats described in this advisory are not theoretical, and they are not limited to large enterprises. Basic exposure and weak controls continue to create opportunities for attackers. Addressing those gaps now can significantly reduce operational risk before they are exploited.
At Enaxy, we help organizations strengthen their security posture by improving visibility, reducing unnecessary exposure, and implementing practical security controls across OT environments. If your organization needs assistance assessing or securing industrial systems, contact us at info@enaxy.com.