A joint U.S. advisory warns that Iranian-friendly actors are probing internet-exposed PLCs and PCM control boards that serve critical infrastructure.
The FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command issued a joint advisory warning of Iranian-linked threat actors targeting PLCs, including Rockwell and Allen-Bradley control boards, across U.S. critical infrastructure networks.
These campaigns have focused on internet-facing PLCs and PCM boards in Government Services, Water and Wastewater Systems, and Energy sectors. The attackers are not only harvesting operational data — they are taking project files and manipulating what operators see on SCADA and HMI displays.
Programmable logic controllers (PLCs) and pulse code modulation (PCM) control boards are the automation backbone for pumps, valves, and distribution systems. When these devices are accessible from the internet, attackers can disrupt processes, corrupt telemetry, or alter human-machine interface outputs.
The joint advisory says Iranian-affiliated actors have targeted internet-exposed operational technology devices and have already extracted project files. That means adversaries can reconstruct control logic and then feed false or manipulated data to control rooms.
Earlier warnings also connected this activity to campaign groups that have exploited industrial targets before, such as CyberAv3ngers and other Iran-linked operators. The advisory highlights a worrying trend: OT systems that remain internet-facing are increasingly attractive to nation-state-aligned actors.
Incident response in OT must assume that attackers can reach exposed PLCs. That means network segmentation, asset visibility, and continuous monitoring are not optional. The advisory is a call to action for teams responsible for Rockwell, Allen-Bradley, and other industrial control systems.
For security teams, the key takeaway is simple: treat internet-exposed PLC and PCM boards as high-risk assets, and move fast to isolate, audit, and harden them before the next targeted campaign succeeds.