Six Federal Agencies Warn: Iran Is Targeting U.S. Industrial PLCs
AKMSecure
·
Apr 16, 2026
·
7 min read
On April 7, 2026, six federal agencies including the FBI, CISA, NSA, EPA, Department of Energy, and U.S. Cyber Command issued a joint cybersecurity advisory confirming what OT security professionals have feared: Iranian-affiliated advanced persistent threat actors are actively exploiting internet-facing programmable logic controllers across multiple U.S. critical infrastructure sectors.
The advisory (AA26-097A) details ongoing exploitation of Rockwell Automation/Allen-Bradley PLCs, along with indicators that other branded PLCs may also be targeted. The result has been operational disruption, data manipulation on HMI and SCADA displays, and in some cases, financial loss.
This is not a future risk scenario. It is happening now.
What the Advisory Reveals
Since at least March 2026, Iranian-affiliated APT actors have been targeting internet-exposed PLCs across the water and wastewater, energy, and government services sectors. The authoring agencies link this escalation to rising hostilities between Iran, the United States, and Israel.
The attack methodology is notable for its simplicity. Threat actors used overseas-hosted infrastructure running Rockwell Automation's Studio 5000 Logix Designer, the manufacturer's own configuration software, to establish accepted connections with victim PLCs. Targeted devices include CompactLogix and Micro850 controllers.
Once connected, the attackers extracted PLC project files containing ladder logic and configuration settings, and manipulated data displayed on HMI and SCADA interfaces. They also deployed Dropbear SSH software on victim endpoints for persistent remote access through port 22.
The Ports Under Attack
The advisory identifies five ports associated with malicious inbound traffic: 44818 (Rockwell/EtherNet/IP), 2222, 102 (Siemens S7), 502 (Modbus), and 22 (SSH). The inclusion of ports tied to multiple OT vendors' protocols suggests the targeting extends beyond Rockwell devices alone.
Organizations should immediately check available logs on these ports for traffic originating from overseas hosting providers, particularly from the IP ranges identified in the advisory's indicators of compromise.
A Pattern, Not an Anomaly
This campaign is not an isolated incident. The advisory explicitly connects the current activity to the CyberAv3ngers campaign that began in November 2023, when IRGC-affiliated actors known as the Shahid Kaveh Group compromised at least 75 Unitronics PLC devices with HMIs used across multiple critical infrastructure sectors, including water and wastewater systems.
The escalation from Unitronics to Rockwell Automation devices, and from a single sector to three, signals a deliberate expansion of Iran's OT targeting capability. Each campaign has exploited the same fundamental weakness: PLCs deployed on the public internet without adequate network segmentation, authentication, or device-level encryption.
Why the Mitigations Only Go So Far
The advisory's recommended mitigations are sound and urgent. Disconnecting PLCs from the public internet, placing physical mode switches in the run position, implementing MFA for OT network access, deploying VPNs and firewalls, patching firmware, and monitoring for configuration changes are all necessary steps that every affected organization should take immediately.
But these mitigations address the perimeter, not the device. They assume that if you build a strong enough wall around the PLC, the PLC itself doesn't need cryptographic identity or session-level authentication. History, and this advisory, suggest otherwise.
The core issue is that most OT devices were deployed without any viable encryption framework. PKI was never an option for constrained industrial controllers operating in air-gapped or semi-connected environments. The overhead, the dependency on certificate authorities, the manual lifecycle management — none of it was built for a Micro850 on a factory floor or a CompactLogix in a water treatment facility.
That encryption gap is exactly what nation-state actors are exploiting. Not with sophisticated zero-days, but with the manufacturer's own software connecting to devices that have no way to verify who is on the other end of the session.
Closing the Gap That PKI Never Could
The advisory reinforces a reality that OT security teams have known for years: perimeter defenses are necessary but insufficient. What's needed is cryptographic authentication at the device level, delivered in a form factor that constrained OT endpoints can actually run.
Autonomous Key Management™ was built for exactly this scenario. AKM's symmetric-key architecture operates in under 50KB, requires no certificate authority, functions in air-gapped environments, and refreshes session credentials autonomously without human intervention. It delivers encryption where PKI was never viable, closing the gap that threat actors like these Iranian APT groups continue to exploit.
Every session is independently verified with no persistent credentials left behind. There is nothing to steal, replay, or escalate. That is Zero Trust at the protocol layer, applied to the devices that need it most.
What OT Operators Should Do Now
Review the full advisory (AA26-097A) and cross-reference the indicators of compromise against your network logs. Beyond the immediate mitigations, assess whether your OT devices have any form of cryptographic session authentication. If the answer is no, and for most PLC deployments it will be, that is the gap that needs closing.
Advisories will keep coming. The question is whether your infrastructure will be in the next one.
About AKMSecure
AKMSecure delivers a patented Autonomous Key Management™ protocol built to replace outdated PKI approaches with a dynamic, quantum-secure, air-gapped-capable architecture. Instead of relying on persistent credentials that can be stolen, reused, or abused, AKM enables independently verified sessions with no standing privileges left behind. The result is a model that better aligns with Zero Trust principles, reduces certificate-based risk, and supports resilient operations across enterprise IT, OT and Tactical Edge environments. Built to NSA-grade security standards and deployable as a lightweight SDK, AKMSecure helps organizations modernize trust at the protocol layer without rebuilding everything around it.