Iranian APTs Targeting U.S. PLCs: OT Wake-Up Call for SOCs

Show Notes

Iranian-affiliated APT actors are actively targeting U.S. critical infrastructure, specifically PLCs powering essential operations across water, energy, and manufacturing.

This #SOCBrief breaks down the latest CISA alert, how attackers are exploiting OT environments, and what security teams need to be watching for right now. From key indicators to practical defense strategies, this is your wake-up call to treat OT as a high-value target.

Watch full episodes at youtube.com/@aliascybersecurity.
Listen on Apple Podcasts, Spotify and anywhere you get your podcasts.

Transcript

SPEAKER_00 0:03

Good morning, good afternoon, or good evening, whenever you may be, and welcome to another episode of the SOC Brief. This is your go-to podcast for staying ahead of the ever-evolving world of cybersecurity threats. I'm your host Andrew, and today we're going to discuss a fresh CISA alert that just dropped this morning, and that is Iranian affiliated advanced persistent threat actors that are actively exploiting programmable logic controllers known as PLCs across U.S. critical infrastructure. This is a direct warning to anyone running operational technology within sectors that deal with water utilities, manufacturing, energy, and transportation. It's a huge reminder that OT systems are no longer the forgotten corner of the network. We'll discuss what's happening, why it's a big deal, key indicators to hunt for, and some practical steps you as a SOC can take to help protect these environments before attackers can gain a foothold. So first we'll talk about the trend in the PLC exploitation. So CISA, along with the FBI and some other agencies, uh released advisory AA26-097A this morning, April 7th, 2026. It details how Iranian-linked APT actors have been targeting internet-facing PLCs manufactured by Rockwell Automation slash Allen Bradley. Since at least March 2026, these actors have been disrupting PLC functions, and there's some evidence of active exploitation across multiple U.S. critical infrastructure sectors going on right now. And you might be asking yourself, why PLCs? And the reason is programmable logic controllers are the brains behind industrial control systems. They do tasks such as run pumps, valves, assembly lines, and safety systems. Compromising them can cause physical disruption, like shutting down water treatment, halting manufacturing, or creating general safety hazards. The attackers are using known vulnerabilities in internet exposed devices, often combined with weak authentication or default credentials on them. And these attacks are happening amid heightened tensions between our countries, and it shows attackers are moving from IT to OT to specifically take down infrastructure. And these are not smash and grab ransomware operations. They're deliberate, persistent attempts to gain control of the physical processes of these devices. For SOCs, especially those with hybrid IT OT environments, it is a huge wake-up call as your OT systems are often less monitored, have longer patch cycles, and sit behind firewalls that were never designed for modern threats. For organizations with these OT devices in their environment, you have to start monitoring for anomalous traffic to PLC management ports, especially for the Rockwell devices. Look for unusual configuration changes, any unexpected command execution on industrial networks. And you can look for these IOCs that SysA published. There will be specific IP ranges and exploit patterns tied to these actors. From there, make sure you're blocking and quarantining your internet-facing OT devices. Most PLCs should never be directly reachable from the public internet. Make sure you're using network segmentation to isolate OT from IT. You're enforcing strict allow listing and enable logging on every PLC where available or possible. Search your OT logs for recent unauthorized access attempts. Check for things like unusual protocol traffic from Modbus or DNP3, and any kind of firmware changes. You can also make sure you're integrating your existing threat intelligence feed for these Iranian IPT indicators. CIS's advisory included detailed TTPs and IOCs that you can start with. And communication through all this is key. So share this information with your OT engineers and your leadership. Make sure they're aware that any internet exposed PLCs are under fire and that a review for exposure needs to happen immediately. You could also run a tabletop focused on OT compromise. Use a scenario like what if a PLC is hijacked in our environment? It would probably help identify any gaps in security or coverage there. And the bottom line here is that these Iranian PLC campaigns show attackers are going straight for the systems that control the physical world. SOCs must treat their OT as a high value target. Make sure you're enforcing network segmentation, limiting access, putting access controls in place, and monitoring and hunting proactively. This is the only sure way to stop these attacks before they can cause real damage. Here's some closing thoughts and a call to action. With SIS's new advisory on Iranian actors targeting US PLCs, it's just a clear sign that OT security should not be an afterthought. These systems run our critical infrastructure, and once compromised, the impact goes far beyond data loss. This week, do an audit for any IT-exposed OT or PLC devices in your environment, and verify they're properly firewalled or air gapped where possible, and share these results with your team and let your colleagues know what to be on the lookout for. And that's a wrap for this episode of the SOC Brief. If you have questions or your own OT stories, hit us up on social media or via our website. Keep your eyes open, keep sharpening those skills, and we'll talk soon. Stay secure out there. Bye.