US cybersecurity agency issues an urgent alert as Iranian hackers attack critical infrastructure — CISA guidance warns organizations to immediately shield certain programmable logic controllers from the internet to thwart future attacks

Iranian hackers are responding to the recent Iran-U.S. war with cyber attacks on critical American infrastructure, using vulnerabilities in systems used at water and energy companies, the U.S. has warned. The warning, released by the Cybersecurity and Infrastructure Security Agency this week, suggests that the Iranian attacks are focused on “internet-facing operational technology,” specifically programmable logic controllers, which allow them to gain a foothold and to cause disruption.

The CISA is now advising that affected organizations should begin to “urgently review” the guidance and to remove potentially exploitable controllers, specifically those made by Rockwell Automation and Allen-Bradley, from “direct internet exposure” using secure gateways and firewalls. The guidance also recommends auditing access logs for suspicious traffic across several ports, particularly 44818, 2222, 102, and 502.

The threat is serious enough that several U.S. agencies, including the FBI and NSA, are warning that organizations involved in critical infrastructure are at real risk. It’s no coincidence that the alert follows on from recent U.S. and Israeli military action against Iran who, in response, has placed IT companies in the region in their crosshairs, from direct strikes on Oracle and Amazon data centers to further threats to attack 14 other U.S. companies like Microsoft, Apple, and Google across the Middle East.

Article continues below

The April 7, 2026 CISA guidance lists the “widespread use” of these programmable logic controllers in several critical industries as a direct threat. The report notes that “malicious interactions” have, in some instances, caused “the manipulation of data” which, “in a few cases” has led to operational downtime and financial loss.

While CISA doesn’t mention a specific hacking group, it has previously issued warnings about CyberAv3ngers, a group affiliated with Iran’s hardline Islamic Revolutionary Guard Corps, who it reported using similar exploits in 2024. Several sectors vital to the U.S. economy, including water, energy, and local municipal services, are considered at risk.

The guidance lists several IP addresses, collated by the FBI, that are believed to have been used by the group over different time periods, up to and including March 2026. Several attack vectors, including Rockwell Automation’s programming software Studio 5000 Logix Designer, are mentioned, along with common access ports and remote access tools that it has seen deployed on vulnerable devices, including Dropbear SSH software using port 22.

The advice for organizations that could be at risk is simple: double-check your logs and protect your devices. Among “immediate steps” it recommends to stop future attacks is to limit public-facing internet access to any vulnerable hardware and to use physical switch modes that limit programming or remote access on any PLCs that have the functionality.

Firewalls should be configured to block traffic on common ports, and unused remote access methods and services should be switched off. Organizations using Rockwell Automation/Allen-Bradley PLCs are also advised to review “previously issued guidance” from the manufacturers to protect them against further cyber threats, where possible.

As CISA’s past guidance shows, cyber attacks from nations such as Iran, Russia, and North Korea are hardly new phenomena. In an era of ever-growing global insecurity, this CISA alert is a timely reminder for those involved in protecting critical infrastructure to harden their systems because, when you’re connected to the internet, every connected system is suddenly at risk to hackers living thousands of miles away.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.