The US government issued a joint advisory warning that Iran-linked hackers have targeted critical infrastructure by compromising industrial control systems and operational technology, with a focus on programmable logic controllers made by Rockwell Automation and other vendors. Attackers have abused legitimate engineering tools such as Rockwell’s Studio 5000 Logix Designer to manipulate PLC logic, HMIs, and SCADA; experts recommend removing PLCs from the public Internet, enforcing segmentation, and adopting zero-trust access controls. #RockwellAutomation #PLC
Keypoints
- Iran-linked actors targeted internet-exposed PLCs and other OT devices, prompting a joint CISA and FBI advisory.
- Attackers abused legitimate engineering software like Studio 5000 Logix Designer to extract and alter PLC project logic and HMI/SCADA data.
- Observed indicators include traffic on ports such as 44818 (EtherNet/IP), 102 (S7comm), and 502 (Modbus), implicating multiple vendors.
- Targeted industries include water, energy, and government services, causing operational disruption and financial loss.
- Recommended defenses include removing PLCs from public internet access, implementing segmentation or zero-trust, enforcing MFA and credential rotation, and monitoring control protocols.