Industry Reactions to Iran Hacking ICS in Critical Infrastructure: Feedback Friday

Summary

The US government (CISA, FBI) warned of Iran-linked threat actors actively targeting industrial control systems (ICS) and operational technology (OT) devices in critical infrastructure sectors including water, energy, and government facilities. Attackers exploited internet-exposed Rockwell Automation PLCs and abused legitimate programming software (Studio 5000 Logix Designer) to manipulate HMIs and SCADA systems, causing operational disruption and financial loss. Industry experts note the broader risk extends beyond Rockwell to Siemens and other PLC vendors, with over 3,000 exposed devices still online in North America.

Full text

The US government warned this week that Iran-linked hackers have targeted critical infrastructure organizations, hacking industrial control systems (ICS) and other operational technology (OT). According to an advisory written by CISA, the FBI, and several other agencies, hackers have targeted programmable logic controllers (PLCs) made by Rockwell Automation, but devices from other vendors are also at risk. Both Rockwell and Siemens have published advisories to alert customers. The attacks caused operational disruption and financial loss through tampering with vulnerable human-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) systems. The threat actors targeted internet-exposed PLCs and abused legitimate programming software such as Rockwell’s Studio 5000 Logix Designer to achieve their goals. Targeted industries include government services and facilities, water, and energy. Industry professionals have shared thoughts on the advisory and provided recommendations for defenders. Advertisement. Scroll to continue reading. Markus Mueller, Field CISO, Nozomi Networks: “The advisory is not surprising. We have observed nation-state-aligned threat groups targeting publicly exposed operational technology (OT) devices in recent years whenever there’s increased geopolitical activity. The most high-profile of these campaigns was the 2023-24 operations carried out by CyberAv3ngers targeting Unitronics devices. In the current conflict, we have again observed a significant increase in such activity, such as what CISA recently reported. Industry groups, information sharing organizations, and vendors, including Rockwell, have been urging organizations to disconnect these devices from publicly accessible networks (Rockwell Advisory ID: SD1771, March 20th). Many of these devices are still online (in the case of Rockwell, more than 3K in North America), either because organizations are unaware they’re connected or because they underestimate the risk. The public exposure of these OT devices creates a vast attack surface that a motivated and capable adversary can exploit, which is especially relevant given the current conflict. Since the conflict began, threat groups have made hundreds of unverified claims that they have compromised OT devices worldwide, including in North America. However, no public disclosures from affected organizations have come out. It’s common for such groups to post screenshots of control systems, claiming compromise even when they have not actually gained access. The fact that we are not seeing more publicly disclosed incidents may be a function of the scope of threat activity, which is mostly focused on the region supporting each side’s kinetic activity, the type of activity, which is mostly DDoS and data leaks, or it could be because organizations don’t want to disclose breaches of this type. It could also be that these groups are in the discovery and initial access phases of their campaigns, as some of the observed activity indicates. As the conflict continues, we will likely see an increased tempo of events, including those targeting OT devices. This will likely continue even if there is a resolution to hostilities, as in past conflicts, when kinetic attacks stop, we see a focus on hybrid warfare, including cyber.” Denis Calderone, CTO, Suzu Labs: “[…] Today, we’re seeing the threat actors conducting fairly surgical operations, using Studio 5000 Logix Designer, which is Rockwell Automation’s own PLC programming software, to interact with CompactLogix and Micro850 controllers at the file object level. They’re extracting the programming logic that controls physical processes and manipulating data on HMI and SCADA displays. Think about what that means for a water treatment operator or a power plant engineer. If your display is showing you normal pressure, flow, or chemical dosing levels and the actual values are different, you’re making operational decisions based on false data. That’s how equipment damage and safety incidents happen. Now, the advisory specifically calls out Rockwell Automation and Allen-Bradley, and that makes sense because Rockwell holds roughly 35 to 40 percent of the US PLC market. But don’t let the Rockwell focus distract you. The indicators of compromise in the advisory include traffic on port 102, which is S7comm, and that’s a Siemens protocol. The advisory itself says ‘potentially other branded PLCs’ are at risk. If you’re running Siemens, Schneider, or any other PLC platform and assuming this doesn’t apply to you, look at the port list again: 44818 for EtherNet/IP (Rockwell and others), 102 for S7comm (Siemens), 502 for Modbus (most PLCs). Those protocols are from multiple manufacturers, proving that this is more than just a Rockwell problem. The prescriptive advice here is straightforward. PLCs should never be directly accessible from the internet, period. The advisory confirms that the attackers are simply connecting to internet-exposed devices using overseas IP addresses. But internet isolation alone isn’t enough. Controllers and SCADA infrastructure should sit behind properly segmented OT network zones with monitored firewall boundaries between IT and OT environments.” Duncan Greatwood, CEO, Xage Security: “The active exploitation of our water and energy systems represents a sobering milestone in the weaponization of domestic infrastructure. This targeted campaign focuses on the core logic of our industrial processes, where the manipulation of control systems and human-machine interfaces can lead to direct operational failure. While emergency alerts provide critical guidance, the practice of disconnecting assets from the internet remains a temporary reaction to a systemic vulnerability. And even when infrastructure is disconnected, a technician’s malware-infected laptop can “walk” an attack inside the network boundary, as has happened hundreds of times in the past with the U.S. electrical grid. For our critical utilities, priority should be placed on establishing a resilient foundation that secures every interaction, rather than simply reacting to the threat of the day. CISA’s follow-up guidance to implement MFA is a positive step. However, its recommendation to enable remote access through a network proxy, gateway, firewall, and/or VPN in front of PLCs is problematic. VPNs are widely recognized as insecure forms of remote access, a point CISA itself has previously acknowledged. The recommendation to keep PLC devices updated with the latest manufacturer patches can also be misaligned with OT realities, where systems often cannot be patched frequently without risking operational disruption. Rather than relying solely on patching, operators need to strictly control access to the PLC, so the PLC can be protected when attacks are live on the network, even though the PLC itself may be insecure. To provide a durable foundation for resilience, organizations should adopt zero trust architectures, such as just-in-time access rights and microsegmentation to more effectively defend against advanced attacks and strengthen security posture.” Damon Small, Board of Directors, Xcape: “The targeted disruption of US water and energy utilities is the inevitable outcome of treating critical national infrastructure like a public Wi-Fi hotspot. By leveraging legitimate engineering tools like Rockwell’s Studio 5000 to manipulate project files, Iranian-linked actors have demonstrated that an Internet-exposed programmable logic controller (PLC) is not a poor technical design – it is a pre-staged kinetic weapon. Security leaders must acknowledge that these “nuisance” disruptions are live-fire exercises for more catastrophic escalations that exist entirely outside the bounds of diplomatic ceasefires. The primary business risk has shifted from simple uptime to the physical safety of the communities these utilities serve. Teams must immediately pull every PLC off the public Internet and isolate them behind a Zero Tr

Indicators of Compromise

• mitre_attack — T1059.001
• mitre_attack — T1190
• mitre_attack — T1657

Entities