Researchers at Censys have revealed that 5,219 Rockwell Automation programmable logic controllers (PLCs) are exposed to the internet, raising serious alarms about potential exploitation by advanced persistent threat (APT) groups. A significant portion of these devices are located within the United States, placing domestic critical infrastructure at considerable risk. The threat compounds as hostile actors continue to target internet-connected operational technology (OT), a foundational component across multiple infrastructure sectors.
U.S. Agencies Issue Formal Advisory
On April 7, 2026, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) jointly issued a security advisory addressing the exposure of these devices. The advisory specifically calls out Iran-linked APT groups as the primary threat actors actively targeting these internet-facing Rockwell Automation systems. Agencies stressed that critical infrastructure operators must immediately assess the necessity of each PLC’s internet connectivity and take steps to reduce their exposure.
Recommended actions from the advisory include:
- Directly verify all Rockwell PLCs for unauthorized internet access.
- Implement stringent access controls and multi-factor authentication measures.
- Conduct periodic security audits and vulnerability assessments of industrial control systems (ICS).
Disconnection Remains the Top Recommendation
The agencies have urged operators to disconnect these devices from the internet wherever possible, identifying this as the most effective remediation measure. In cases where full disconnection is not operationally feasible, defenders are advised to take the following steps:
- Use network segmentation to isolate critical OT networks from corporate and public-facing systems.
- Deploy next-generation firewalls equipped with intrusion detection and prevention capabilities.
- Apply all available software updates and patches issued by Rockwell Automation without delay.
These measures are considered essential for reducing the attack surface available to threat actors who are known to scan for and exploit exposed industrial devices at scale.
Iran-Linked APT Groups Drive the Threat
The threat actors behind these campaigns are APT groups with documented ties to Iran. Historically, these groups have conducted cyber operations targeting critical infrastructure with the intent to cause disruption, gather intelligence, or demonstrate offensive capabilities. Their focus on internet-exposed PLCs reflects a broader pattern of targeting vulnerable OT environments that often lack the same security maturity as traditional IT networks.
Security professionals and operators in targeted sectors must remain alert and ensure that defensive measures align with current threat intelligence and government guidance.
Critical Infrastructure Sectors Face Serious Consequences
Exposed Rockwell PLCs have been identified across several key sectors, including energy, manufacturing, and water systems. Each of these sectors carries its own operational complexity and public safety significance. A successful compromise of OT within any of these environments could trigger disruptions with far-reaching consequences for the broader economy and civilian welfare.
To strengthen their security posture, professionals responsible for these systems should prioritize:
- Enhanced endpoint monitoring to detect unusual or unauthorized activity.
- Behavioral analytics tools to identify anomalies in network traffic and device communications.
- Regular staff training on recognizing phishing attempts and other common attack vectors used by state-backed threat groups.
Given the scale of exposure documented by Censys and the formal warnings issued by U.S. federal agencies, operators across all affected sectors must treat this as an urgent, active threat. Delaying action on securing or disconnecting exposed PLCs only extends the window of opportunity for hostile actors to exploit these systems. Swift, coordinated defensive action is the most reliable path to reducing risk.
