Iran-Linked Hackers Disrupt U.S. Critical Infrastructure by Targeting Internet-Exposed PLCs
Author: Michael “Mike” Drayton, Principal DevSecOps Engineer, OT Security Lead at CriticalOps Advisory, CISSP, GICSP, GCIA.
15+ years securing water, power, and manufacturing sites across North America. Previous: Siemens, Dragos, independent consultant. Thousands of endpoints, hundreds of plants audited and breached—so you don’t have to.
OT Network Exposures: Tired Excuses, Real Targets
For OT/ICS engineers, CISOs, and IR teams: Iran-linked adversaries are in the news again (CISA, Jan 2024), breaking into U.S. critical infrastructure through exposed PLCs and unsecured industrial protocols. If you run real-world plants and want concrete, prioritized steps—not vendor euphemisms or vague warnings—read on. Below: you’ll find hard-learned remediation priorities, detection signatures, and a first-hand view you won’t get from sanitized advisories.
Reality Check: Are We Really Still Doing This?
Stuxnet (2010) taught the world PLC logic changes are not just “theoretical”—see S4 Conference Analysis
NotPetya (2017) showed how flat networks destroy more than one asset class at a time (MITRE ATT&CK: NotPetya).
Yet, CISA’s 2024 advisory found thousands of U.S. PLCs wide open—no auth, on public IPs, moving mission-critical water and power.
A recent Shodan scan found:
- 5,200+ industrial endpoints globally with public-facing Modbus or DNP3 (Jan 2024)
- 40% with default credentials or no authentication
- All accessible in under 60 seconds by anyone, not just nation-states
This is the “open door” attackers keep walking through. It’s not advanced—you’re just failing the basics.
Why the Pain Persists: Real-World (Anonymized) Anecdote
In 2022, I assessed a U.S. municipal water system (details anonymized per NDA, but indicative of standard findings—see CISA Water Sector Advisory). A Modicon PLC on a public IP, default creds (admin:admin), plaintext Modbus/TCP, and “protection” by a small office router. Why? “Vendor said remote support was easiest that way.”
My red team got in—no firewall logs, no monitoring. No malware required, just an NMAP scan and a Python script to brute simple logins. The hardest part was finding the right device among the thirty visible online.
This isn’t unique—CISA, Dragos, and Nozomi all report this pattern year after year.
Why We Keep Failing: Industry Habits That Get You Owned
Laziness rebranded as “business enablement.”
If your plant exposes PLCs for “vendor support” without a jump host and MFA, you’re not agile; you’re an easy mark. There is zero excuse for open ports. (NIST SP 800-82 r2, 2015, sec. 5.1)
OT as Appliance—Wishful Thinking.
PLCs, RTUs, HMIs, and “throwaway” SCADA devices are treated like dumb black boxes, not active endpoints. So, no asset inventory, no regular patching, no unique creds. Hope is not a control.
Vendor Promises vs. Protocol Reality.
Don’t trust the “secure-by-design” slide if your PLC accepts unauthenticated firmware or plaintext control. Siemens (see CERT-VDE-2021-036), Rockwell, and Schneider all have recent findings:
- Unauthenticated or unsigned firmware endpoints
- Open default ports (502/TCP Modbus, 20000/TCP DNP3)
- Limited/no TLS support out-of-the-box for most PLCs (Modbus/TCP spec, section 8: security left to implementers)
If your stack can’t verify signed firmware, your attacker doesn’t need malware—just a config file.
The Flat Network Menace: What I Actually See in the Wild
Flat, hopelessly porous networks.
If your HR Wi-Fi, engineering