Exposed Rockwell controllers raise Iran cyber fears

More than 5,000 Rockwell Automation and Allen-Bradley programmable logic controllers are exposed to the public internet, sharpening concern across United States critical infrastructure as federal agencies warn that Iran-affiliated cyber actors are actively targeting such devices. Security researchers at Censys said they identified 5,219 internet-exposed hosts globally that responded as Rockwell or Allen-Bradley systems, with nearly three quarters of them located in the United States. The warning lands amid an active campaign against operational technology used in water, energy and government-linked facilities.

What gives the finding weight is not only the raw number of exposed controllers, but the kind of activity now being reported. Federal agencies said attackers have used legitimate Rockwell engineering software to access exposed controllers, interact with project files and alter the data shown to operators through human-machine interfaces and supervisory control and data acquisition displays. Officials said the activity has already caused operational disruption and financial losses in some cases, moving the threat beyond abstract vulnerability scanning into tangible interference with industrial processes.

The affected sectors are especially sensitive. U. S. authorities said the campaign poses particular risk to government facilities, water and wastewater systems, and the energy sector. Those environments depend on PLCs to automate physical processes ranging from pumping and treatment to power management and industrial safety functions. That makes public exposure of controllers a strategic weakness rather than a routine IT hygiene problem, because compromise can have physical consequences, including service outages, equipment damage or corrupted readings that mislead operators during live operations.

Censys’s analysis also suggests the exposure is deeply embedded in field deployments. Its researchers found that 74.6% of the exposed Rockwell devices were in the United States and that a striking share appeared to sit on cellular carrier networks, with Verizon Business accounting for 2,564 hosts and AT&T Mobility for another 693. That pattern indicates many of the systems are deployed in remote sites such as pump stations, substations and municipal facilities, where connectivity may rely on cellular or satellite links that are harder to monitor and harder to patch consistently.

The hardware profile adds to the concern. Researchers said the exposed estate is dominated by families such as MicroLogix and CompactLogix, with many devices revealing model and firmware information without authentication through EtherNet/IP responses on port 44818. They also found additional services exposed on some systems, including VNC, Telnet, Modbus and SSH, which broadens the routes an intruder can use to reach engineering workstations and adjacent industrial components. For defenders, that means the problem is not confined to one port or one device class but reflects a wider pattern of weak perimeter design around operational technology.

The latest warning also fits a broader chronology. In late 2023 and early 2024, Iran-linked operators associated with CyberAv3ngers were tied to attacks on Unitronics PLCs used in U. S. water and wastewater systems. A U. S. government advisory issued in December 2024 said at least 75 Unitronics devices in multiple critical infrastructure sectors had been compromised between November 2023 and January 2024, including 34 in water and wastewater. The Aliquippa, Pennsylvania water authority incident became an early symbol of how exposed industrial control devices could be used for political signalling and operational disruption at once.

Another layer to the present concern is the security history around Rockwell’s ecosystem. Industry reporting has highlighted the role of CVE-2021-22681, an authentication bypass issue affecting Studio 5000 Logix Designer and related Logix controller environments. The flaw can allow an unauthenticated attacker to bypass a verification mechanism and authenticate with vulnerable controllers, potentially enabling unauthorised changes to controller configuration or application code. While not every exposed controller will be vulnerable in the same way, the existence of a long-known pathway for trusted-looking access helps explain why authorities are focusing so heavily on exposed Rockwell environments.