Thousands of Rockwell PLCs Exposed Online, Drawing Warnings from U.S. Agencies
Researchers at Censys have identified 5,219 Rockwell Automation programmable logic controllers (PLCs) accessible via the internet, with a significant concentration in the United States, heightening risks to critical infrastructure. The exposure of these operational technology (OT) devices has raised concerns about exploitation by advanced persistent threat (APT) groups, particularly those linked to Iran.
On April 7, 2026, the FBI, CISA, and NSA issued a joint advisory warning of active targeting by Iran-backed threat actors. The agencies emphasized the urgency of securing these systems, noting that such groups have historically sought to disrupt, gather intelligence, or demonstrate offensive capabilities against vulnerable OT environments.
The advisory recommends immediate disconnection of internet-facing PLCs where possible, alongside network segmentation, multi-factor authentication, and timely patching for cases where disconnection isn’t feasible. Additional measures include intrusion detection systems, behavioral analytics, and enhanced monitoring to detect unauthorized activity.
Exposed devices span energy, manufacturing, and water systems, sectors where a successful compromise could have severe economic and public safety consequences. The agencies stressed that operators must act swiftly to reduce the attack surface, as threat actors continue to scan for and exploit unsecured industrial systems at scale.
Rockwell Automation cybersecurity rating report: https://www.rankiteo.com/company/rockwell-automation
"id": "ROC1776083482",
"linkid": "rockwell-automation",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': ['Energy',
'Manufacturing',
'Water Systems'],
'location': 'United States',
'name': 'Rockwell Automation',
'type': 'Manufacturer'}],
'attack_vector': 'Internet-facing unsecured devices',
'date_detected': '2026-04-07',
'date_publicly_disclosed': '2026-04-07',
'description': 'Researchers at Censys identified 5,219 Rockwell Automation '
'programmable logic controllers (PLCs) accessible via the '
'internet, with a significant concentration in the United '
'States, heightening risks to critical infrastructure. The '
'exposure has raised concerns about exploitation by advanced '
'persistent threat (APT) groups, particularly those linked to '
'Iran. The FBI, CISA, and NSA issued a joint advisory warning '
'of active targeting by Iran-backed threat actors.',
'impact': {'operational_impact': 'Potential severe economic and public safety '
'consequences',
'systems_affected': '5,219 Rockwell Automation PLCs'},
'motivation': ['Disruption',
'Intelligence gathering',
'Demonstration of offensive capabilities'],
'post_incident_analysis': {'root_causes': 'Exposure of internet-facing PLCs'},
'recommendations': ['Immediate disconnection of internet-facing PLCs where '
'possible',
'Network segmentation',
'Multi-factor authentication',
'Timely patching',
'Intrusion detection systems',
'Behavioral analytics',
'Enhanced monitoring'],
'references': [{'source': 'Censys'},
{'source': 'FBI, CISA, NSA Joint Advisory'}],
'response': {'containment_measures': ['Disconnection of internet-facing PLCs',
'Network segmentation'],
'enhanced_monitoring': ['Intrusion detection systems',
'Behavioral analytics'],
'law_enforcement_notified': 'FBI, CISA, NSA',
'network_segmentation': 'Recommended',
'remediation_measures': ['Multi-factor authentication',
'Timely patching']},
'stakeholder_advisories': 'FBI, CISA, NSA joint advisory warning of active '
'targeting by Iran-backed threat actors',
'threat_actor': 'Iran-backed APT groups',
'title': 'Thousands of Rockwell PLCs Exposed Online, Drawing Warnings from '
'U.S. Agencies',
'type': 'Exposure of Critical Infrastructure'}