What Happened
CISA published Advisory AA26-097A on April 7, 2026 in coordination with the FBI and other US government partners, warning that Iranian-affiliated cyber actors have exploited internet-facing Rockwell Automation and Allen-Bradley programmable logic controllers (PLCs) deployed across US critical infrastructure since at least March 2026.
The affected sectors include Government Facilities, Water and Wastewater Systems, and the Energy sector. The attackers used overseas-based IP addresses to connect directly to internet-exposed PLCs using legitimate configuration software — specifically Rockwell Automation’s Studio 5000 Logix Designer — to establish accepted connections. No software vulnerability or exploit code was required. The attack succeeded because the PLC devices were directly accessible from the internet without adequate network segmentation or authentication controls.
Once connected, the threat actors extracted device project files and manipulated data displayed on human-machine interface (HMI) and SCADA systems. Several victims experienced operational disruptions and financial losses as a result of the intrusions. The advisory does not name specific victim organizations or disclose the full scope of affected systems. CISA | CyberScoop | The Hacker News
Why This Matters for Canadian Organizations
Rockwell Automation and Allen-Bradley PLCs are widely deployed across Canadian critical infrastructure, including provincial and municipal water treatment facilities, hydroelectric and thermal generation plants, oil and gas pipelines, and federal government industrial systems. The attack method described in CISA’s advisory requires no software exploit — only direct internet access to the PLC and the absence of credential or network controls. This means organizations that have not segmented their OT networks from internet-accessible infrastructure face identical risk regardless of whether they apply software patches.
Canada’s Communications Security Establishment (CSE) and the Canadian Centre for Cyber Security (CCCS) have repeatedly identified Iranian state-sponsored threat actors as a persistent threat to Canadian critical infrastructure in their National Cyber Threat Assessments. The energy sector, water utilities, and federal government facilities have all been named as priority targets. The CCCS typically issues advisory guidance aligned with CISA OT advisories within days of US publication.
The manipulation of SCADA displays — a tactic documented in this campaign — poses risks beyond data theft. Operators who rely on manipulated HMI screens risk making incorrect decisions about physical processes, including valve settings, pump pressures, and chemical dosing in water treatment. This class of attack has direct physical safety implications for Canadian communities served by affected infrastructure.
What to Do
Remove all PLCs and OT devices from direct internet exposure immediately. Place them behind a properly configured firewall and secure gateway. There is no legitimate operational reason for a PLC to be directly accessible from the public internet.
Enforce multi-factor authentication on all remote access pathways to OT networks, including VPNs and remote desktop sessions used by engineers and operators. Review whether Rockwell Studio 5000 Logix Designer or equivalent engineering workstation software can connect to your PLCs from outside your OT network perimeter, and close that pathway if it exists.
Audit PLC project files and SCADA display configurations for unauthorized modifications. Compare current configurations against known-good baselines. Any discrepancy should trigger incident response procedures.
Canadian critical infrastructure operators should also review CCCS guidance on OT security and report any confirmed or suspected incidents to the Canadian Centre for Cyber Security at contact@cyber.gc.ca. Timely reporting supports national situational awareness and helps protect peer organizations operating similar infrastructure.
