Iran-Linked Hackers Target US Critical Infrastructure, Exposing Dangerous Gaps in Industrial Cybersecurity

The US government this week issued a stark warning: Iran-linked hackers are targeting critical infrastructure organizations by hacking industrial control systems (ICS) and operational technology (OT). This alarming campaign is focusing on programmable logic controllers (PLCs) from major vendors like Rockwell Automation and Siemens, putting essential services such as water treatment and energy grids at risk.

According to a joint advisory from CISA, the FBI, and other agencies, these threat actors are exploiting internet-exposed PLCs and abusing legitimate programming software, including Rockwell’s Studio 5000 Logix Designer, to tamper with human-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) systems. The result has been operational disruptions and financial losses, as attackers manipulate control logic and falsify data displayed to operators.

Industry experts are sounding the alarm on the scope and sophistication of these attacks. Markus Mueller, Field CISO at Nozomi Networks, points out that nation-state-aligned hackers have long targeted exposed OT devices during geopolitical conflicts, but the scale of devices still online—over 3,000 Rockwell PLCs alone in North America—is a glaring vulnerability. Many organizations remain unaware that critical controllers are connected to the internet or underestimate the risks, leaving a sprawling attack surface ripe for exploitation.

Denis Calderone, CTO of Suzu Labs, highlights the real-world dangers: attackers are extracting and manipulating PLC programming logic, causing operators to make decisions based on false sensor readings. This can lead to equipment damage, safety incidents, or worse. While Rockwell Automation commands a significant share of the US PLC market, the advisory warns that Siemens and other vendors are also at risk, given the range of targeted communication protocols like EtherNet/IP, S7comm, and Modbus.

The consensus from security leaders is clear: PLCs must never be directly accessible from the internet. Effective defense requires isolating these devices behind segmented OT network zones with strict firewall controls between IT and OT environments. Duncan Greatwood, CEO of Xage Security, emphasizes that simply disconnecting assets is a stopgap measure. Attackers can still infiltrate networks through compromised devices brought inside by technicians, underscoring the need for systemic cybersecurity improvements.

This campaign marks a dangerous escalation in the weaponization of domestic infrastructure, with attackers targeting the very logic that controls vital industrial processes. As geopolitical tensions persist, the risk of hybrid warfare via cyberattacks against critical systems will only grow. The US must urgently address these vulnerabilities before adversaries turn digital disruption into physical disaster.