Industrial Device Security at Risk: 5,000+ PLCs Exposed to Iranian APTs

The convergence of information technology (IT) and operational technology (OT) was promised as a revolution for industrial efficiency. However, in April 2026, that promise has curdled into a perilous reality. New, sobering research from Censys has unveiled a critical vulnerability in our national infrastructure: over 5,000 Rockwell Automation programmable logic controllers (PLCs) are currently exposed on the public internet. This isn’t merely a data security concern; it is a direct, tangible threat to the systems that manage our water, energy, and government services. As geopolitical tensions rise, the imperative for robust industrial device security has never been more urgent.

The Anatomy of a Modern Industrial Threat

On April 7, 2026, a consortium of U.S. government agencies—including the FBI, CISA, and the NSA—issued a high-priority warning regarding ongoing, active exploitation of these internet-facing OT devices. The adversaries behind this campaign are not mysterious, shadowy figures operating in the dark; they are well-documented, state-sponsored entities linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) Cyber Electronic Command, including the notorious actor group known as CyberAv3ngers.

The research provided by Censys paints a grim picture of the attack surface. They identified 5,219 internet-exposed Rockwell Automation/Allen-Bradley PLCs globally that respond directly to EtherNet/IP (port 44818). The geographic distribution of these devices is heavily skewed, with 74.6% (approximately 3,891 units) located within the United States. This concentration is a direct reflection of Rockwell Automation’s market dominance in North American industrial automation, yet it also highlights a systemic failure in how these mission-critical components are deployed and secured.

The “Living off the Land” Strategy

Perhaps most alarming is the simplicity of the attack vector. These threat actors are not relying on complex, expensive zero-day exploits. Instead, they are utilizing the very tools intended for legitimate industrial engineering. By accessing internet-facing PLCs, the attackers can leverage standard vendor software—specifically, Rockwell Studio 5000 Logix Designer—to interact with device project files, modify operational logic, and manipulate the data displayed on human-machine interfaces (HMIs) and SCADA systems.

This is a classic “living off the land” (LotL) technique. By using legitimate administrative tools to conduct unauthorized, malicious activity, the attackers blend into the noise of standard industrial operations. They don’t need to break into the system; they simply walk through an open door that was never meant to be accessible from the public internet in the first place.

Understanding the Expanded Attack Surface

The exposure identified by Censys goes beyond the primary EtherNet/IP (EIP) protocol on port 44818. Protocol enumeration across these 5,219 hosts reveals that many of these devices are “multi-homed” or running supplementary services that significantly amplify the risk. This creates a multi-layered attack surface that enables attackers to pivot and gain even deeper control.

• VNC Exposure: Found on hundreds of instances, VNC services provide attackers with direct, graphical remote desktop access to HMI workstations, allowing them to visualize and interact with the process exactly as an operator would.
• Legacy Protocol Risks: Many of these devices still support unencrypted legacy protocols such as Telnet, providing cleartext entry points for credential harvesting and lateral movement.
• Cellular Modem Vulnerabilities: A striking portion of these devices—particularly those on cellular carrier ASNs like Verizon Business—are deployed in field settings. This indicates that organizations are often extending their OT networks to remote, unmanned locations using cellular modems, effectively bypassing perimeter firewalls and exposing these sensitive controllers to the global internet.

The Infrastructure Reality

These devices are the “brains” of critical infrastructure. They control the flow of water in our treatment plants, the synchronization of our energy grids, and the automation of government facilities. When an attacker manipulates the logic within a PLC, they aren’t just stealing data; they are altering physical reality. They can trick an operator into believing a system is functioning normally while a pump is over-pressurizing or a valve is closing, leading to catastrophic physical damage and service disruption.

The Imperative for Immediate Remediation

The current guidance from CISA, the FBI, and the NSA is unambiguous: organizations must treat this as an immediate operational priority. Continuing to operate internet-facing industrial control systems is no longer a sustainable security posture.

Industrial device security requires a move away from the traditional, perimeter-focused defenses that have clearly failed in the face of modern, state-sponsored targeting. The following steps must be taken immediately:

1. Disconnect and Isolate: The primary mitigation is to remove all internet-exposed PLCs from the public-facing internet. OT environments must be strictly segmented from both the corporate IT network and the public internet. If remote access is required, it must be mediated through secure, heavily audited, and multi-factor-authenticated (MFA) gateways.
2. Enable Physical Security Controls: For many Rockwell/Allen-Bradley controllers, the physical mode switch is the most effective security control. Putting the physical switch into the “RUN” position prevents unauthorized remote modification of the device’s logic, a safeguard that cannot be overridden through the network.
3. Implement Deep Packet Inspection (DPI) and Monitoring: Because adversaries are using legitimate tools, signature-based antivirus will not detect this activity. Organizations must deploy OT-specific monitoring solutions that understand industrial protocols and can alert on anomalous behavior—such as unexpected project file uploads or changes in configuration—in real-time.
4. Review Asset Inventory and Exposure: Many organizations remain unaware of their true exposure. An accurate, continuously updated inventory of all OT assets and their network visibility is the bedrock of a robust security program. Assume your OT assets are visible to the internet until your team has verified, through scanning and network analysis, that they are not.
5. Apply Vendor Hardening: Follow the specific hardening guidance provided by Rockwell Automation, which includes disabling unnecessary services, closing unused ports, and applying the latest firmware patches to mitigate known authentication bypass vulnerabilities.

Conclusion: A New Era of OT Responsibility

The incident of April 2026 is a clarion call. The era in which industrial operators could rely on “security through obscurity”—the idea that no one would know or care to look for their specific controllers—is over. Sophisticated state-sponsored groups are actively mapping and exploiting the vulnerabilities inherent in poorly configured, internet-exposed industrial control systems.

Protecting critical infrastructure is no longer just a technical challenge for the IT department; it is a fundamental responsibility of industrial management. The convergence of IT and OT has undeniably created efficiency, but it has also created a permanent, high-stakes battleground. For those responsible for the safety and reliability of our water, energy, and government services, the time for complacency has passed. The security of these systems must be anchored in the principles of zero-trust, rigorous network segmentation, and the unwavering commitment to keep the most sensitive industrial controls entirely offline.

Every PLC removed from the public internet is a win for national security. It is time for every industrial operator to audit their network, identify their exposures, and close the doors that never should have been left open.