Nation-State Threats

Iran Hackers Target US CNI via OT PLCs

CISA dropped a bombshell advisory on April 7: Iranian hackers are already inside US water plants and energy grids, fiddling with PLCs that control the pumps and valves. It's not theory—it's happening now, and the fixes sound painfully basic.

Threat Digest 5 min read
Digital map of US highlighting water and energy infrastructure with red hacker intrusion icons on PLC devices

Key Takeaways

  • Iranian APTs targeting Rockwell PLCs in US water, energy, and gov sectors via exposed internet ports.
  • CISA urges immediate log hunts, firewalls, and physical locks on controllers to block ongoing attacks.
  • Pattern echoes 2023 Unitronics hits—geopolitical escalation likely to worsen without OT overhauls.
  1. That’s the port number Iranian hackers are knocking on right now, slipping into US critical infrastructure like it’s 1999.

CISA’s April 7 advisory lays it out cold: state-backed creeps from Iran have been probing and poking internet-facing operational technology since last month. Programmable logic controllers—PLCs—from Rockwell Automation/Allen-Bradley are the prime targets. Water and wastewater systems. Energy grids. Government facilities, even local town halls. Disruption? Check. Financial hits? Already piling up.

Look, I’ve covered this beat for two decades, from Stuxnet’s glory days to the SolarWinds mess. And here’s the cynical truth: nothing’s changed. These PLCs manage everything from chemical dosing in water treatment to power flows in substations. Hackers use Rockwell’s own Studio 5000 Logix Designer software—legit config tool—to waltz in via overseas IPs. They tweak project files, mess with HMI and SCADA screens. Data on those displays? Suddenly fiction.

Why Do US Infra Operators Leave PLCs Naked Online?

Ports 44818 for EtherNet/IP chatter, 2222, 102, 22 for SSH via Dropbear, 502 for Modbus. Inbound from sketchy third-party hosts. It’s amateur hour for defenders, pro day for attackers.

CISA’s blunt: “Due to the widespread use of these PLCs and the potential for additional targeting of other branded OT devices across critical infrastructure, the authoring agencies recommend US organizations urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory…”

“Due to the widespread use of these PLCs and the potential for additional targeting of other branded OT devices across critical infrastructure, the authoring agencies recommend US organizations urgently review the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in this advisory for indications of current or historical activity on their networks, and apply the recommendations listed in the mitigations section to reduce the risk of compromise.”

That’s the government nice-speak for ‘wake the hell up.’ Secure gateways. Firewalls blocking direct internet access to PLCs. Hunt those IOCs in your logs. Flip the physical switch on Rockwell gear to ‘run’ mode—no remote fiddling. And if you’re already owned? Call the FBI yesterday.

But here’s my unique take, one you won’t find in the advisory: this reeks of 2023 déjà vu. Remember Iran’s IRGC hitting Unitronics PLCs in US water plants? Israeli-made gear, symbolic middle finger amid Gaza tensions. Now Rockwell—American iron. It’s escalation, not coincidence. Geopolitics via SCADA. And who’s cashing in? Cybersecurity firms peddling OT fixes, that’s who. Every breach fattens their pitch decks.

Ross Filipek from Corsica Technologies nails it without the fluff.

“Years of high-profile infrastructure incidents have shown the world two things. First, that many operational technology environments still have internet reachable interfaces and remote access paths that were never meant to be permanent.”

Exactly. These weren’t built for the wild web. Legacy junk from the ’90s, patched with duct tape. And Steve Povolny at Exabeam warns of the reconnaissance wave incoming—credential stuffing, exploits galore during US-Iran saber-rattling.

Is This the Next Stuxnet—in Reverse?

Stuxnet flipped the script: US-Israel cyberweapon shredded Iran’s nukes via air-gapped PLCs. Now? Iran’s payback, sloppy but effective, on exposed assets. Prediction: by summer, we’ll see ransomware layered on top. Why? Nuisance hacks build skills, lower barriers. Limited downtime snowballs—emergency crews scramble, bills skyrocket, reps tank.

CNI bosses, listen up. IT-OT visibility chasm? Still there. Segment those networks like your life’s on it (it is). Log every vendor workstation. Test IR plans for PLC wipeouts, not just data leaks. Too late? Povolny thinks so. I half-agree—but panic’s a great motivator.

This didn’t spawn in a vacuum. March’s Handala hit on Stryker nuked 10,000+ med devices. Pattern’s clear: Iran’s playbook maturing. From defacement to disruption. Next? Denial of safe drinking water in a red-state suburb? Bet on it.

Fixes? Baby steps, really. Gateways between PLCs and the net. Log scans for overseas traffic on those ports. Physical locks on controllers. But who foots the bill? Taxpayers, eventually. Vendors like Rockwell? They’ll issue a patch, PR spin it as ‘enhanced security.’ Meanwhile, shareholders cheer.

Skeptical vet mode: OT security’s a gold rush. Firms hawking ‘air-gapped’ illusions rake it in. Real money? In the breach aftermath. Consultants swarm, budgets balloon. Hackers? State-funded, no skin in the game.

Water exec in Ohio, energy op in Texas—you’re the bullseye. Hunt IOCs now. Segment ruthlessly. Ditch default creds (yeah, some still do that). And pray the feds share more than advisories.

What Happens If They Flip the Wrong Switch?

Imagine: valves stuck open, chemicals over-dosed. Not sci-fi—feasible tomorrow. Financial loss? Millions in cleanup. Ops halt? Weeks. Chaos? Panic-buy bottled water, brownouts.

Exabeam’s Povolny again:

“Visibility gaps between IT and OT telemetry remain one of the most persistent weaknesses I see across critical infrastructure operators. Teams should prioritize passive network monitoring… confirm that engineering workstations and vendor maintenance channels are tightly controlled and logged.”

Spot on. But ‘may be too late’—ouch.

My bold call: without mandated OT audits (hello, Congress?), this repeats yearly. Tie exec bonuses to cyber hygiene. Make mayors sweat water hacks. Only then, maybe, we armor up.

Two decades in, I’m weary. Hype cycles come, breaches go. But CNI? Non-negotiable. Act, or pay.

🧬 Related Insights

Frequently Asked Questions

What ports should CNI operators monitor for Iranian hackers?

Ports 44818, 2222, 102, 22, and 502—especially overseas traffic hitting OT gear like PLCs.

How do Iranian hackers access Rockwell PLCs?

Via Studio 5000 Logix Designer software from third-party hosts, creating fake ‘accepted connections’ to manipulate controls.

What should US water plants do right now?

Hunt CISA IOCs in logs, firewall PLCs from the internet, set controllers to run mode, and segment IT from OT.

James Kowalski
Written by
James Kowalski

Investigative tech reporter focused on AI ethics, regulation, and societal impact.

Frequently asked questions

What ports should CNI operators monitor for Iranian hackers?
Ports 44818, 2222, 102, 22, and 502—especially overseas traffic hitting OT gear like PLCs.
How do Iranian hackers access <a href="/tag/rockwell-plcs/">Rockwell PLCs</a>?
Via Studio 5000 Logix Designer software from third-party hosts, creating fake 'accepted connections' to manipulate controls.
What should US water plants do right now?
Hunt CISA IOCs in logs, firewall PLCs from the internet, set controllers to run mode, and segment IT from OT.
#cisa-advisory #cni-attacks #iran-hackers #ot-plc-vulnerabilities #ot-vulnerabilities #rockwell-automation #rockwell-plcs #us-cni-attacks
More in Nation-State Threats →

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by InfoSecurity Magazine

Related Stories

📬

Stay in the loop

The week's most important stories from Threat Digest, delivered once a week.

No spam. Unsubscribe any time.