Rockwell Automation PLC Cyberattacks: How 4,000 U.S. Industrial Devices Were Exposed in 2026

Rockwell Automation PLC Cyberattacks: How 4,000 U.S. Industrial Devices Were Exposed in 2026

Industrial Automation Faces Unprecedented Cyber Risk

Nearly 4,000 U.S. industrial automation devices—primarily Rockwell Automation/Allen‑Bradley PLCs—were exposed to Iranian state‑backed cyberattacks beginning in March 2026. These incidents disrupted operations, forced manual control, and caused financial losses across critical sectors. Moreover, multiple federal agencies confirmed that Iranian APT groups exploited internet‑facing control systems, manipulated HMI/SCADA displays, and attempted destructive actions using wiper malware. As a result, U.S. operators face heightened urgency to secure factory automation assets.

Attackers Exploit EtherNet/IP and Exposed PLC Infrastructure

The campaign targeted PLCs communicating over EtherNet/IP, a widely used protocol in factory automation and process industries. According to Censys data, 5,219 global hosts identified as Rockwell Automation/Allen‑Bradley devices, with 74.6% located in the United States. Many PLCs operated on cellular networks, indicating field deployment with limited physical security. In addition, attackers used MITRE ATT&CK techniques such as Exploit Public‑Facing Application (T1190) and External Remote Services (T1133) to gain access, extract project files, and manipulate operational data.

Manipulated HMI/SCADA Displays Disrupt Process Control

Once inside the PLC environment, attackers altered HMI and SCADA displays, impairing process visibility and forcing operators to switch to manual operation. This activity aligns with Impair Process Control (T0813) and Stored Data Manipulation (T1565.001). Therefore, affected facilities faced increased safety risks and operational instability. Based on my experience with DCS and PLC commissioning, manipulated process values can mislead operators and cause incorrect manual interventions, especially in water treatment and energy systems.

Wiper Malware Attempts Highlight Destructive Intent

The campaign included attempts to deploy wiper malware designed to delete operational data. While the success of these attempts remains unclear, similar attacks occurred weeks earlier, including the March 2026 incident at Stryker, where approximately 80,000 devices were wiped. This pattern shows that threat actors possess both the capability and intent to cause destructive outcomes in industrial environments. In addition, their understanding of PLC configurations suggests deep familiarity with industrial protocols and safety logic.

Timeline Shows Rapid Escalation of Industrial Cyber Threats

The attack sequence escalated quickly:

  • March 2026: Large‑scale targeting of internet‑exposed Rockwell PLCs.

  • April 7, 2026: Joint federal advisory issued by CISA, FBI, NSA, DOE, EPA, and U.S. Cyber Command.

  • April 10, 2026: Public reporting confirms widespread exposure and ongoing threat activity.

Prior campaigns targeted Unitronics PLCs between 2023 and 2024, compromising water and wastewater systems. Therefore, the 2026 attacks represent a continuation of long‑term Iranian interest in ICS environments.

Threat Activity Shows Deep ICS Knowledge

Federal agencies attribute the attacks to Iranian APT groups with high confidence. Their tactics include scanning for exposed PLCs, exploiting remote access protocols, extracting project files, manipulating process data, and attempting destructive malware deployment. The campaign is opportunistic, targeting any accessible device rather than specific organizations. As a result, all operators with exposed PLCs face elevated risk. The most affected sectors include oil and gas, water and wastewater, energy, and government services.

Mitigation Actions for PLC and Control System Operators

Critical defensive actions include:

  • Disconnect PLCs from the public internet to eliminate direct exposure.

  • Enforce MFA for all OT network access.

  • Update PLC firmware and disable unused services.

  • Monitor logs continuously for suspicious remote connections.

  • Strengthen incident response plans for rapid containment.

  • Train OT personnel on secure PLC deployment and internet‑exposure risks.

These recommendations align with federal guidance and best practices for securing industrial control systems.

Application Scenarios — Strengthening ICS Security in Automation Environments

  • Secure PLC deployment using firewalls and segmented OT networks.

  • Continuous monitoring of EtherNet/IP traffic for anomalies.

  • HMI/SCADA integrity checks to detect manipulated process values.

  • Disaster recovery planning for potential wiper malware incidents.

  • Zero‑trust access control for remote maintenance of PLC and DCS assets.

About the Author 

Chen Yuhang is a senior industrial automation specialist with more than 15 years of hands‑on experience in PLC, DCS, TSI, and power protection systems. His work focuses on engineering implementation, OT cybersecurity hardening, and technical documentation for global automation manufacturers and industry media.

Leave a comment

Please note, comments need to be approved before they are published.

  • Express Shipping
    Swift delivery to meet urgent needs.

  • Extensive Inventory

    Vast stock ensures immediate availability.

  • Quality Assurance

    Genuine, high-quality PLC & DCS parts.

  • Global Service

    Catering to clients worldwide with reliable support.