More than 5,200 internet-connected devices, primarily programmable logic controllers (PLCs) made by Rockwell Automation/Allen-Bradley, have been identified as potentially exposed to Iranian government-backed attackers, according to a threat intelligence brief released Wednesday by cybersecurity firm Censys.
The majority of these potentially vulnerable devices, nearly 3,900, are located within the United States. These industrial control systems are critical to the operations of the U.S. energy sector, water and wastewater systems, and government facilities.
Iranian Attackers Target U.S. Critical Infrastructure
Federal agencies, including the FBI, NSA, and CISA, issued a joint alert Tuesday warning of Iranian government attackers exploiting operational technology devices. These attacks have disrupted multiple sectors over the past month, leading to financial losses for some victims. The alert detailed the threat and provided indicators of compromise to aid in defense.
Censys researchers scanned for and identified 5,219 internet-exposed Rockwell Automation/Allen-Bradley PLC hosts shortly after the federal advisory was published. The firm’s analysis indicated that these devices are primarily deployed in remote, field-based locations and often rely on cellular systems for connectivity.
Device Exposure and Network Connectivity
Of the globally exposed devices, nearly half are connected via Verizon’s wireless network, with an additional 13% utilizing AT&T’s infrastructure. This reliance on cellular connectivity for remote deployments presents a significant security challenge, as these devices often serve as the sole internet pathway for critical infrastructure components.
Censys researchers noted that additional services exposed on other ports of these devices could further amplify the potential attack surface. This could provide attackers with direct access to operational systems beyond the direct exploitation of the PLCs themselves.
Vulnerable PLC Models Identified
The threat intelligence brief identified specific vulnerable models, including MicroLogix and CompactLogix PLCs, and published a list of the 15 most exposed products. Many of these devices are running end-of-life software, a condition that attackers can exploit to prioritize unpatched and more vulnerable systems during their reconnaissance and attack phases.
The activity by these Iranian government-backed groups dates back to at least March. This campaign appears to have intensified following the conflict between Iran, the U.S., and Israel, occurring concurrently with other reported attacks by different Iranian state-sponsored actors against entities like Stryker and various local governments.
Federal agencies involved in the alert include the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the National Security Agency (NSA), the Environmental Protection Agency (EPA), and the Department of Energy, alongside U.S. Cyber Command. The advisory aimed to provide critical defense information to the sectors targeted.
Moving forward, organizations are urged to review the indicators of compromise provided by federal agencies and Censys. Further advisories from CISA and other intelligence partners are expected as the threat landscape evolves. The potential for ongoing exploitation remains high, particularly for systems utilizing outdated software and indirect network access points.