Your Factory Floor PLC Might Be Internet-Exposed — And You Don't Even Know It

If your business operates machinery on a factory floor, manages a water treatment process, runs building management systems, or controls any kind of industrial equipment, there is a very real chance that a device called a Programmable Logic Controller — a PLC — is quietly sitting on your network, connected to the public internet, and visible to anyone who knows where to look.

On 7 April 2026, the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the NSA, and several other federal agencies issued a joint advisory confirming that Iranian-affiliated hackers have been actively compromising internet-exposed PLCs across critical infrastructure. The attacks have already caused operational disruption and financial loss to victim organisations. This is not a theoretical risk. It is happening right now.

What Is a PLC, and Why Should You Care?

A PLC is a ruggedised computer that controls physical processes — opening and closing valves, regulating temperatures, managing conveyor belts, controlling pumps, and operating production lines. They are the silent workhorses behind manufacturing, water treatment, energy distribution, HVAC systems, and countless other industrial operations.

Here is the problem: PLCs were designed decades ago for reliability and deterministic operation on trusted, isolated networks. They were never built to withstand the kind of hostile internet traffic they are now being exposed to. Many have no authentication whatsoever. If you can reach one over the internet, you can often read its programming, modify its logic, or change what operators see on their control screens — with no password required.

How Did Iranian Hackers Exploit This?

According to the CISA advisory (AA26-097A), Iranian-affiliated advanced persistent threat actors have been targeting internet-facing PLCs — primarily Rockwell Automation and Allen-Bradley devices — since at least March 2026. The attackers connected to exposed devices using standard industrial software and leased overseas hosting infrastructure, making their connections appear routine.

They did not need sophisticated zero-day exploits. They simply found devices that were reachable from the public internet and interacted with them as though they were legitimate operators. They tampered with PLC project files, manipulated the data shown on operator displays (HMIs and SCADA screens), and in several cases caused genuine operational disruption.

The advisory also references an earlier campaign beginning in November 2023 by a group known as CyberAv3ngers, linked to Iran's Islamic Revolutionary Guard Corps, which compromised at least 75 PLC devices across US water and wastewater systems.

"We're a Small Business in the UK — This Doesn't Apply to Us"

This is the most dangerous assumption you can make. The CISA advisory explicitly warns that the widespread use of these PLCs means any organisation using them could be targeted. The attackers are not hand-picking victims from a list of critical national infrastructure operators. They are scanning the entire internet for exposed devices and exploiting whatever they find.

If you are a UK engineering firm with a CNC machine connected to your network, a food manufacturer with automated production lines, a facilities management company running building management systems, or a small water utility, you are squarely in the target zone. The attackers do not care about the size of your business. They care about whether your PLC is reachable.

Tools like Shodan — a search engine that indexes internet-connected devices — make it trivially easy to find exposed industrial control systems. Security researchers consistently find thousands of PLCs, SCADA interfaces, and Modbus endpoints visible on the public internet, many with no authentication enabled.

The Cyber Essentials Connection

If you hold or are working towards Cyber Essentials certification, two of its five core controls are directly relevant here:

Boundary Firewalls and Internet Gateways: Cyber Essentials requires that you control what traffic can enter and leave your network. An internet-exposed PLC is a textbook failure of this control. If a device on your operational network is directly addressable from the public internet, your boundary is broken — full stop.

Secure Configuration: PLCs shipped with default credentials (or no credentials at all) that have never been changed represent exactly the kind of insecure default configuration that Cyber Essentials is designed to eliminate. If your PLC still uses the factory-default settings and is reachable from outside your network, you have two Cyber Essentials failures in one device.

This is not just about passing an audit. These controls exist because they work. A properly configured firewall that blocks inbound traffic to your OT network would have stopped the Iranian campaign dead before it started.

What Should You Do Right Now?

1. Find Out What Is Exposed

Ask your IT provider or internal team a simple question: "Are any of our industrial control devices — PLCs, HMIs, SCADA systems, building management controllers — accessible from the internet?" If the answer is "I don't know" or "I'm not sure," that is your first problem. You need an asset inventory that includes every device on your operational network.

2. Disconnect PLCs from the Internet Immediately

There is no legitimate reason for a PLC to be directly accessible from the public internet. If remote access is genuinely required, it must go through a properly configured VPN with multi-factor authentication — never through a direct connection. Rockwell Automation themselves issued guidance in 2026 urging customers to disconnect devices from the internet and harden their PLCs.

3. Segment Your Network

Your factory floor network should not be on the same network as your office PCs and email. Operational technology and information technology networks must be separated — ideally with a firewall between them that only permits the specific traffic that is genuinely needed. If an attacker compromises a laptop in your office, they should not be able to reach a PLC on your production line.

4. Change Default Credentials

If your PLCs, HMIs, or engineering workstations still use factory-default passwords, change them today. Enable any available authentication or access control features. Where devices support it, enable programming protection to prevent unauthorised logic changes.

5. Back Up Your PLC Logic

Create offline backups of all PLC programmes and configurations. Store them on secured, physically removable media. If an attacker does tamper with your PLC logic, you need the ability to restore known-good configurations quickly. Test your restore procedures — do not assume they will work when you need them.

6. Monitor OT Network Traffic

Check your firewall and network logs for unexpected traffic on industrial ports — particularly port 44818 (EtherNet/IP, used by Rockwell PLCs), port 502 (Modbus), port 102 (Siemens S7), and port 22 (SSH). Traffic on these ports from overseas IP addresses or cloud hosting providers is a significant red flag.

The Bigger Picture: OT Security Is No Longer Optional

The UK's National Cyber Security Centre (NCSC), working with CISA and international partners, published new Secure Connectivity Principles for Operational Technology in January 2026. The guidance is clear: OT environments are more interconnected than ever, but most were never designed for modern connectivity or security requirements. The NCSC recommends a "push-only" architecture where data flows outward from secure OT zones, with no unsolicited inbound connections from IT networks or the internet.

The NIS Regulations already require operators of essential services to take appropriate measures to manage cyber risk. As the regulatory landscape tightens and the threat from nation-state actors grows, OT security is rapidly moving from a niche concern to a board-level priority — even for smaller organisations in the supply chain.

The Bottom Line

The Iranian PLC campaign is a stark reminder that cyber attacks against industrial systems are not science fiction, not limited to power stations and military facilities, and not restricted to large enterprises. If your business uses PLCs or any form of industrial control system, you need to verify — today — that those devices are not exposed to the internet.

The good news is that the most effective defences are not expensive or complicated. Disconnect exposed devices. Segment your network. Change default passwords. Back up your configurations. These are basic hygiene measures that align directly with Cyber Essentials and will dramatically reduce your risk.

Do not wait for a CISA advisory with your company's name in it.