Critical Infrastructure Under Siege: Iranian Hackers Target Nearly 4,000 US Industrial PLCs
A coordinated cyberattack campaign by Iranian state-sponsored threat actors has exposed critical vulnerabilities in American industrial control systems, with nearly 4,000 programmable logic controllers (PLCs) left internet-accessible and vulnerable to exploitation. This alarming development, revealed through a joint advisory from multiple U.S. federal agencies, marks a significant escalation in cyber warfare targeting critical infrastructure.
The Scope of the Threat
According to cybersecurity firm Censys, approximately 5,219 internet-exposed hosts globally respond to the EtherNet/IP (EIP) protocol and self-identify as Rockwell Automation/Allen-Bradley devices. The United States accounts for a staggering 74.6% of this global exposure—equating to roughly 3,891 domestic industrial hosts directly reachable from the internet. Many of these devices are deployed via cellular modems in field locations rather than hardened enterprise environments, creating compounded security risks.
Federal investigators confirmed that Iranian-affiliated Advanced Persistent Threat (APT) groups have been systematically targeting Rockwell Automation/Allen-Bradley PLCs since March 2026. The attackers have successfully extracted device project files and manipulated data displayed on human-machine interface (HMI) and SCADA systems, resulting in operational disruptions and measurable financial losses.
Attack Methodology and Impact
The joint advisory revealed that these threat actors employed sophisticated techniques to compromise industrial systems:
- Initial Compromise: Exploiting internet-exposed PLCs lacking adequate boundary protections
- Lateral Movement: Moving across networks to target additional operational technology devices
- Data Exfiltration: Extracting sensitive operational data including control system configurations
- Command & Control: Establishing persistent access channels for ongoing surveillance
The geopolitical motivation behind these attacks appears linked to escalating tensions between Iran, the United States, and Israel. This pattern follows previous Iranian campaigns, including the CyberAv3ngers group’s compromise of 75 Unitronics PLC devices in water and wastewater systems during late 2023 and early 2024.
Concurrent Schneider SCADAPack Vulnerability
Adding to industrial security concerns, Schneider Electric disclosed a high-severity vulnerability (CVE-2026-0667) affecting SCADAPack x70 Remote Terminal Units (RTUs) and RemoteConnect software. This flaw allows remote code execution via Modbus TCP connections without authentication, with a CVSS v3.1 base score of 8.8.
The vulnerability impacts SCADAPack x70 RTUs running firmware versions 5.0 through 7.5 and RemoteConnect software versions 2.0 through 3.2. Schneider has released patches in firmware version 7.6+ and software version 3.3+, urging immediate updates across affected installations in energy, water, manufacturing, and transportation sectors.
Defense Strategies for Industrial Operators
Security experts recommend immediate implementation of defense-in-depth measures:
| Security Measure | Implementation Priority |
|---|---|
| Zero Trust Network Segmentation | Critical – Isolate PLCs from internet and corporate networks |
| Multifactor Authentication | High – Enforce MFA for all OT network access |
| Egress Security Controls | High – Monitor and restrict outbound traffic |
| East-West Traffic Monitoring | Medium – Detect lateral movement patterns |
| Firmware Update Program | Critical – Apply latest security patches |
PLC Technology Evolution: AI Integration Accelerates
In related developments, the industrial automation sector continues advancing toward AI-integrated PLC architectures. The convergence of operational technology (OT) and artificial intelligence represents a paradigm shift, with hybrid execution models now achieving remarkable performance gains.
Cisco’s 2026 State of Industrial AI Report, surveying over 1,000 industrial professionals across 19 countries, reveals that 87% of organizations expect meaningful AI outcomes within two years, with 83% planning to increase AI spending. Two-thirds are actively deploying AI in live operations, driving real productivity improvements—59% report increased productivity, and 42% have achieved measurable cost reductions.
Chinese domestic PLC manufacturers are also making significant strides. Companies like Inovance, Nanda Automation (南大傲拓), and UnionScience (联诚科技) are challenging foreign dominance in high-end manufacturing applications. Inovance has achieved near-native integration between its PLCs and servo systems, enabling precision control previously only available from European suppliers. Nanda Automation’s redundant PLC architectures have proven reliable in power, water conservancy, and rail transit applications.
Market Dynamics and Supply Chain Considerations
The global industrial automation market faces unprecedented supply chain restructuring. European buyers increasingly seek alternatives to premium brands like Siemens, Beckhoff, and Bosch Rexroth due to cost pressures and delivery instability. Chinese automation products are gaining traction, particularly in industrial communication modules, I/O modules, IPCs, and gateway solutions.
The domestic Chinese large and medium PLC market reached 95-100 billion RMB in 2025, with domestic brands capturing 18.8% market share. This figure is projected to exceed 30% by 2028, driven by policy support for technology self-sufficiency and critical infrastructure localization requirements.
Key Takeaways
This week’s developments underscore the dual challenges facing industrial automation stakeholders: escalating cybersecurity threats against operational technology infrastructure, and the rapid evolution of PLC technology toward AI-integrated architectures. Organizations must balance the imperative for digital transformation with rigorous security implementation.
For industrial operators, the message is clear: internet-exposed PLCs represent unacceptable risk in the current threat landscape. Immediate network segmentation, combined with systematic firmware updates and zero-trust access controls, forms the foundation of industrial cybersecurity resilience.
As industrial AI continues its march from proof-of-concept to production deployment, the industry awaits Hannover Messe 2026—where over 3,000 exhibitors will demonstrate how targeted deployment of industrial AI, robotics, and digitalization translates into measurable competitive advantages. The intersection of cybersecurity and artificial intelligence will undoubtedly dominate discussions as the sector navigates these transformative times.