The most newsworthy detail in the joint federal advisory warning issued this week regarding Iranian cyberattacks targeting U.S. critical infrastructure isn't which systems were compromised; it's how easy it was for them to succeed.
CISA, the FBI, NSA, EPA, the Department of Energy, and U.S. Cyber Command's Cyber National Mission Force formally acknowledged the campaign Tuesday in Advisory AA26-097A. For the first time, agencies confirmed the attacks have caused actual operational disruption and financial losses at victim organizations, not merely reconnaissance or access.
Related:
George V. Hulme
Bill Brenner
George V. Hulme
According to the advisory, Iranian-affiliated actors linked to Iran's Islamic Revolutionary Guard Corps spent months quietly accessing Rockwell Automation Allen-Bradley programmable logic controllers embedded in American water utilities, energy facilities, and local government networks. They did so not by exploiting a software flaw, not by deploying custom malware, and not by cracking encryption. They used the same tool a Rockwell engineer would use on any given Tuesday morning: Studio 5000 Logix Designer, the company's own programming software, pointed at PLCs and left accessible from the open internet.
"No public CVEs [Common Vulnerabilities and Exposures], novel techniques, or zero-days," wrote Nozomi Networks founder Andrea Carcano in a technical breakdown published the same day CISA released the advisory. "They used the tool the way it was designed to be used," Carcano said.
The attackers accessed CompactLogix and Micro850 controllers, modified ladder logic (the graphical programming language used to configure PLCs, representing the electrical relay logic of industrial control systems), manipulated what operators could see on their HMI screens, and in some cases extracted full project files — the blueprints of how a facility's industrial process works. On the wire, the traffic looked identical to a legitimate remote engineering session.
To mitigate against attacks, CISA’s advisory provided the following mitigations:
Immediate Steps:
Disconnect PLCs from the public internet: use a secure gateway or jump host so OT systems are never directly exposed; ensure cellular modems used for remote field access are secured with strong authentication and logging enabled
Set the physical mode switch to "Run:" on controllers that have one, to prevent remote modification of programming; only switch to Program/Remote mode during intentional updates, then switch back immediately
Enable programming protection in PLC configuration software (e.g., Siemens TIA Portal) to limit who can modify PLCs remotely
Create and test offline backups: of PLC logic and configurations; store on secured physical media for fast recovery
Follow-Up Hardening Steps, if not already doing so:
Implement multifactor authentication (MFA) for any access to the OT network from external networks
If remote access is required, deploy a VPN, proxy, gateway, or firewall in front of PLCs; use device control lists to monitor for unexpected connections.
Patch PLC firmware on a regular schedule; prioritize Known Exploited Vulnerabilities
Block unnecessary ports via external and internal firewall rules
Disable unused services — specifically Telnet, FTP, RDP, VNC, and default authentication keys
Monitor asset management systems for unexpected configuration changes
Monitor network traffic for unusual logins, unexpected protocols, or ICS management commands that change operating mode or modify programs
Some took issue with the suggestions. "There are remote pump stations nobody can drive to at 2 a.m.," he wrote. "Remote access didn't get into OT environments because people were lazy — it got there because operations demanded it." The more difficult question, he argued, is what happens right now, before utilities can close their exposure: "If someone established an engineering session to one of your PLCs from an overseas IP, outside your normal change windows, and quietly pulled the project file, would any alarm have fired? Would anyone have seen it?"
For most of the affected organizations, the answer is no.
The timing of the advisory is inseparable from the broader conflict. Since the United States and Israel launched Operation Epic Fury on February 28, a coordinated military campaign targeting Iranian nuclear facilities, missile infrastructure, and IRGC leadership, Iranian cyber operations against American targets have escalated sharply. FBI assessors concluded the PLC targeting is retaliatory, framing it as Iran's asymmetric response to a conflict it cannot match conventionally.
Related:
Bill Brenner
George V. Hulme
Bill Brenner
Flashpoint analysts, who have tracked the conflict across military, cyber, and geopolitical domains since February 28, documented the convergence: "Cyber operations are not ancillary — they are being used as a synchronized force multiplier," the firm wrote in its ongoing conflict assessment. Flashpoint also confirmed that on March 9, Iran's MOIS-linked group MuddyWater had infiltrated U.S. aerospace and defense networks the same week that IRGC-affiliated actors are assessed to have been actively manipulating PLCs at American infrastructure sites.
Nozomi's advisory also notes that, while advisory AA26-097A concerns Rockwell Automation devices, the IOC port list includes Port 102 — the standard Siemens S7 protocol port. "The advisory notes these actors may also be targeting devices manufactured by companies other than Rockwell Automation," Carcano wrote. "If you're running Siemens, Schneider Electric, or other exposed OT devices, these IOCs belong in your hunt."
The geopolitical hacktivist network is coming into focus. A new DomainTools Investigations report attributed the activity of hacktivist personas Homeland Justice, Karma/KarmaBelow80, and Handala Hack to a single, coordinated ecosystem aligned with Iran's Ministry of Intelligence and Security (MOIS). The findings suggest the hacktivist layer — which has claimed credit for defacements, data leaks, and psychological operations targeting American and Israeli organizations throughout the conflict — functions less as a grassroots cyber underground and more as a deniable arm of Iranian state intelligence.
That distinction matters for how defenders should think about the threat. The PLC intrusions didn't require a nation-state's technical arsenal. They required a nation-state's patience, planning, and willingness to act — and an adversary that, months before the current conflict erupted, understood exactly where America's industrial attack surface was left open.
