Thousands of US Industrial PLCs Exposed to Iranian State-Sponsored Threat Actors

Executive Summary

Nearly 4,000 industrial control devices in the United States are directly accessible from the public internet, creating a significant and immediate attack surface for Iranian state-sponsored threat actors. According to analysis by cybersecurity firm BitSight, these exposed devices—primarily Rockwell Automation programmable logic controllers (PLCs)—are part of a documented campaign by Iranian Advanced Persistent Threat (APT) groups targeting U.S. critical infrastructure. The exposure of these operational technology (OT) assets bypasses network segmentation defenses and allows for direct manipulation of physical industrial processes.

Technical Analysis

The exposed devices are Rockwell Automation ControlLogix and CompactLogix series PLCs. These are critical components in industrial environments, governing machinery in sectors like manufacturing, water treatment, and energy. BitSight's research, as reported by BleepingComputer, identified these devices by scanning for specific service banners on TCP port 44818, the standard port for Rockwell's EtherNet/IP industrial protocol. Direct internet exposure means these PLCs are not protected by firewalls or behind demilitarized zones (DMZs), violating core OT security principles. An attacker with network access to this port could issue direct commands to read device status, modify control logic, or force the PLC into a halted state, potentially causing operational disruption or physical damage. The technical barrier to exploitation is lowered because these devices often use default or weak credentials and lack native authentication for programming commands.

Tactics, Techniques & Procedures

The reported activity aligns with known TTPs of Iranian APTs, particularly the "Click Here" campaign disclosed by CISA, FBI, NSA, and international partners in February 2024. The primary technique in this phase is Discovery (TA0043) and Initial Access (TA0001) via internet-facing OT assets. Threat actors are scanning for and identifying exposed PLCs and human-machine interfaces (HMIs). Subsequent TTPs likely involve Brute Force (T1110) attempts against weak credentials and Command-Line Interface (T1059) manipulation of the PLCs using native engineering protocols. The end goal is presumed to be Inhibit Control System Function (T0805) or Manipulation of Control (T0831). The direct exposure of the PLCs simplifies the attack chain, potentially eliminating the need for earlier steps like spear-phishing or VPN exploitation.

Threat Actor Context

The activity is attributed to Iranian state-sponsored cyber actors, specifically groups tracked as CyberAv3ngers and Soldier of Fortune. These groups have a documented history of targeting critical infrastructure, with a pronounced focus on Israel and its allies, including the United States. Their campaigns often blend cyber effects with geopolitical messaging. The targeting of U.S. water and wastewater systems in late 2023 is a direct precursor to this wider exposure finding. The actors demonstrate intent to cause disruption and demonstrate capability, rather than purely espionage. It is unclear if all exposed devices have been actively probed or compromised, but their accessibility aligns perfectly with the actor's stated targeting patterns.

Mitigations & Recommendations

Immediate action is required to reduce this attack surface.

1. Network Segmentation: Remove all OT devices, including PLCs, HMIs, and engineering workstations, from direct internet access. Implement a properly configured firewall and use a demilitarized zone (DMZ) architecture for any necessary remote access.
2. Access Control: Enforce strong, unique passwords on all OT devices and network components. Implement multi-factor authentication (MFA) for all remote access solutions, such as VPNs and jump boxes.
3. Asset Inventory: Conduct a thorough inventory of all OT/ICS assets to identify unknown or unauthorized devices, particularly those with external network interfaces.
4. Monitoring: Deploy network monitoring solutions capable of parsing industrial protocols to detect anomalous commands or unauthorized access attempts within the OT environment.
5. Vendor Guidance: Consult and implement Rockwell Automation's security advisories and best practices for hardening ControlLogix and CompactLogix systems.