CISA and Partners Release Advisory on Iranian-Affiliated Cyber Actors Targeting US Critical Infrastructure

CISA and Partners Release Advisory on Iranian-Affiliated Cyber Actors Targeting US Critical Infrastructure

March 20, 2026

CISA, in partnership with Federal Bureau of Investigation, National Security Agency, Environmental Protection Agency, Department of Energy, and United States Cyber Command – Cyber National Mission Force published joint Cybersecurity Advisory Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure. The advisory warns U.S. organizations of ongoing cyber exploitation targeting internet-connected operational technology devices, including Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs), across multiple critical infrastructure sectors, including Government Services and Facilities (to include local municipalities), Water and Wastewater Systems, and Energy.

These disruptions include malicious interactions with the project file and manipulation of data on human machine interface and supervisory control and data acquisition displays, resulting in operational disruption and financial loss. The authoring agencies recommend organizations review the tactics, techniques, and procedures and indicators of compromise in this advisory for indications of current or historical activity on their networks and apply the recommendations in this advisory to reduce the risk of compromise.

Key Actions

• Remove PLCs from direct internet exposure via secure gateway and firewall.
• Query available logs for the provided IOCs in the corresponding time frames.
• Check available logs for suspicious traffic on the ports associated with OT devices, including 44818, 2222, 102, and 502, especially traffic originating from overseas hosting providers.
• Place the physical key switch on the controller into the run position. Contact the authoring agencies and Rockwell Automation for guidance if you believe your organization was targeted.

For more information on Iranian malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and the FBI’s Iran Threat webpage.

Categorized in: Cybersecurity