Vigilant Voices Blog

Iranian Actors Target PLCs and PCM Boards

A joint U.S. advisory warns that Iranian-linked hackers are exploiting internet-exposed PLCs and control boards across critical U.S. infrastructure.

April 10, 2026 • OT Security

A coordinated advisory from the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command warns that Iranian-affiliated threat actors have been targeting internet-exposed programmable logic controllers (PLCs) and pulse code modulation (PCM) boards used by critical infrastructure providers.

The campaign has affected Energy, Water and Wastewater Systems, and Government Services, with attackers exploiting exposed OT equipment and project files to manipulate SCADA and HMI displays.

Why PLC and PCM exposure matters

PLCs and PCM boards are the backbone of industrial control. When these devices are exposed to the public internet, adversaries can access the logic that controls pumps, valves, power distribution, and industrial process loops.

Key advisory findings

  • Attackers are targeting internet-facing Rockwell and Allen-Bradley PLCs.
  • They are extracting configuration and project files from compromised devices.
  • Manipulated data is being displayed on operator HMIs and SCADA screens.
  • The campaign includes both nation-state-aligned actors and hacktivist groups with a history of OT targeting.

Immediate defensive steps

  • Disconnect PLCs from the internet. Where possible, isolate OT devices behind firewalls and secure remote access gateways.
  • Scan logs for indicators of compromise. Review advisory feeds and OT traffic for unusual connections, credential use, and file changes.
  • Keep firmware up to date. Apply available updates for Rockwell, Allen-Bradley, and other OT boards.
  • Disable unused services and default credentials. Remove exposed ports and interfaces that are not needed for operations.
  • Use strong authentication. Require multifactor access for maintenance and OT network entry.

Actionable advice for operators

This advisory is a reminder that critical infrastructure teams must treat exposed PLCs and PCM control boards as high-risk assets. Visibility, segmentation, and rapid incident triage are the core defenses that will reduce the likelihood of an OT disruption.

Security professionals should assume that any internet-facing OT controller is a likely target and move quickly to isolate, audit, and harden it.

© Vigilant Voices, All Rights Reserved.