Key Findings

• Censys identified 5,219 internet-exposed Rockwell Automation PLCs globally, with 74.6% located in the United States

• Iranian-linked APT groups have been actively targeting these devices since March 2026, causing operational disruptions and financial losses

• Approximately 3,891 exposed U.S. devices are concentrated on cellular networks, indicating field-deployed infrastructure at utilities and substations

• Most vulnerable devices run outdated firmware from the MicroLogix 1400 and CompactLogix families

• Multiple additional services like VNC, Telnet, and Modbus create expanded attack paths beyond the primary EtherNet/IP protocol

Background

U.S. federal agencies including the FBI, CISA, and NSA issued a joint advisory on April 7, 2026, warning of coordinated cyberattacks against internet-connected operational technology in critical infrastructure sectors. The campaign is attributed to Iran-linked APT groups, believed to be associated with the Islamic Revolutionary Guard Corps and groups like CyberAv3ngers. Attacks have targeted government services, water systems, and energy infrastructure, with threat actors manipulating project files and altering data displayed on HMI and SCADA systems. Censys researchers conducted follow-up analysis on April 8, 2026, revealing the full scope of exposed devices.

Geographic Concentration and Deployment

The exposure of Rockwell Automation PLCs is heavily concentrated in the United States, though notable populations exist in Spain, Taiwan, Italy, and Iceland. A significant distinguishing factor is that many U.S. devices operate on cellular networks through providers like Verizon and AT&T rather than traditional fixed broadband connections. This deployment pattern reflects field-based systems used in distributed utility operations, substations, and remote industrial sites. The reliance on cellular and even satellite links like Starlink creates monitoring and patching challenges for defenders, as these systems are harder to reach through conventional network security measures.

Device Vulnerability Profile

The exposed devices predominantly belong to older product families that run outdated firmware versions. The MicroLogix 1400 and CompactLogix families dominate the exposure landscape, with rare instances of Micro820 devices. Remote unauthenticated fingerprinting is possible through EtherNet/IP identity responses, which expose detailed product strings revealing firmware revisions without requiring authentication. This enables attackers to easily scan, identify, and prioritize vulnerable systems for targeting, significantly increasing risks for critical infrastructure operators.

Expanded Attack Surface

Beyond the primary EtherNet/IP protocol on port 44818, Censys found that exposed PLC hosts frequently run additional services that increase attack paths. VNC services enable remote HMI access, Telnet provides cleartext legacy access, and Modbus facilitates OT communication. Some installations include Red Lion Crimson software for mixed-vendor setups. The analysis also revealed infrastructure indicators suggesting multiple IP addresses tied to a single compromised engineering workstation, indicating the attack surface extends beyond initial government disclosures and potentially affects more organizations than originally known.

Recommended Defensive Actions

Organizations are urged to take immediate steps including securing PLCs behind firewalls or disconnecting them from the internet entirely where operationally feasible. Network defenders should scan logs for indicators of compromise, monitor OT ports for suspicious traffic particularly from overseas hosting providers, and enforce multifactor authentication for OT network access. Patching all PLC devices to current firmware versions is critical, as is disabling unused services and legacy authentication methods. Coordination with federal authorities can provide additional incident response support and access to updated threat intelligence as the campaign evolves.

Sources

• https://securityaffairs.com/190646/ics-scada/censys-finds-5219-devices-exposed-to-attacks-by-iranian-apts-majority-in-u-s.html

• https://www.bleepingcomputer.com/news/security/nearly-4-000-us-industrial-devices-exposed-to-iranian-cyberattacks/amp/

• https://x.com/shah_sheikh/status/2043069936159822062