CISA AA26-097A: Iranian APT Targeting Rockwell Automation PLCs — Detection and Defense for Critical Infrastructure OT | Security Arsenal

Introduction

On April 7, 2026, CISA released Advisory AA26-097A detailing ongoing attacks by Iranian-affiliated APT actors against internet-facing Operational Technology (OT) environments, specifically targeting Rockwell Automation/Allen-Bradley Programmable Logic Controllers (PLCs). These confirmed attacks have resulted in PLC disruptions across multiple U.S. critical infrastructure sectors, including manufacturing, energy, and water facilities.

The threat actors are exploiting exposure pathways by maliciously interacting with project files and manipulating data on Human Machine Interface (HMI) and Supervisory Control and Data Acquisition (SCADA) displays. This is not theoretical—operational disruption and financial loss have already occurred. Defenders must act immediately to identify internet-facing OT assets and validate the integrity of PLC configurations.

Technical Analysis

Affected Products and Platforms

Vendor: Rockwell Automation (Allen-Bradley)
Target Devices: Programmable Logic Controllers (PLCs)
Affected Components: Project files, HMI systems, SCADA displays
Attack Surface: Internet-facing OT devices, unsecured CIP (Common Industrial Protocol) ports

Attack Chain and Methodology

From a defensive perspective, the Iranian APT actors are leveraging the following attack vector:

Discovery: Scanning for internet-facing PLC devices using Rockwell Automation protocols (CIP/EtherNet/IP on TCP ports 44818, 2222)
Initial Access: Establishing connections to exposed PLCs without authentication on older configurations or leveraging weak default credentials
Project File Manipulation: Uploading maliciously modified project files (.ACD, .L5X, .mer) that alter PLC logic
Data Manipulation: Modifying data registers displayed on HMI/SCADA systems to hide malicious activity from operators
Operational Disruption: Executing logic that causes physical process disruptions

Exploitation Status

Status: Confirmed active exploitation (AA26-097A)
Exploitation Requirement: Internet connectivity to OT devices, exposure of CIP/EtherNet/IP protocols
Zero-Day Status: Attackers are leveraging protocol exposure and misconfiguration rather than a specific CVE; however, this represents a critical security posture issue
CISA KEV: Included in CISA Known Exploited Vulnerabilities Catalog as an actively exploited configuration issue

Detection & Response

The following detection mechanisms focus on identifying unusual protocol interactions, project file modifications, and suspicious network activity targeting OT infrastructure.

SIGMA Rules

YAML

---
title: Suspicious CIP/EtherNet_IP Connections from External Sources
id: 8f4d3a2c-1b9e-4f7c-a5d6-9e8f0a1b2c3d
status: experimental
description: Detects external network connections to Rockwell Automation CIP ports (44818, 2222) from non-engineering workstations, indicating potential unauthorized PLC access attempts.
references:
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a
  - https://attack.mitre.org/techniques/T0866/
author: Security Arsenal
date: 2026/04/07
tags:
  - attack.initial_access
  - attack.t0866
  - ics
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort:
      - 44818
      - 2222
  filter_legitimate:
    SourceIpList|contains:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
      - 'engineering_subnet'
  condition: selection and not filter_legitimate
falsepositives:
  - Remote maintenance from known vendor IPs
  - Legitimate VPN access from engineering staff
level: critical
---
title: Rockwell Project File Modification Anomalies
id: 7e3c1b9d-2a4f-5e8d-b6c7-0f1a2b3c4d5e
status: experimental
description: Detects modifications to Rockwell Automation project files (.ACD, .L5X, .mer) by processes not typically associated with legitimate engineering tools, indicating potential project file tampering.
references:
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a
  - https://attack.mitre.org/techniques/T0885/
author: Security Arsenal
date: 2026/04/07
tags:
  - attack.impact
  - attack.t0885
  - ics
logsource:
  category: file_change
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '.ACD'
      - '.L5X'
      - '.mer'
  filter_legit_tools:
    Image|contains:
      - '\RSLogix'
      - '\Studio5000'
      - '\FactoryTalk'
      - '\ControlFLASH'
  condition: selection and not filter_legit_tools
falsepositives:
  - Backup software interacting with project files
  - Antivirus scanning operations
level: high
---
title: Anomalous SCADA/HMI Data Pattern Anomalies
id: 6d2b0a8c-193e-4d7c-c5b6-e0f9a1b2c3d4
status: experimental
description: Detects rapid or bulk writes to SCADA/HMI tag databases that may indicate data manipulation attempts to mask malicious PLC activity.
references:
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a
  - https://attack.mitre.org/techniques/T0885/
author: Security Arsenal
date: 2026/04/07
tags:
  - attack.defense_evasion
  - attack.t0885
  - ics
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains:
      - '\RSLinx'
      - '\FactoryTalk'
      - '\Ignition'
      - '\InduSoft'
    CommandLine|contains:
      - '-tag'
      - '/write'
      - '/import'
  timeframe: 1m
  condition: selection | count() > 50
falsepositives:
  - Legitimate batch tag imports during commissioning
  - Scheduled database synchronization
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for external connections to Rockwell Automation CIP ports
let CIPPorts = dynamic([44818, 2222]);
let InternalSubnets = dynamic(["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]);
DeviceNetworkEvents
| where RemotePort in (CIPPorts)
| where not(ipv4_is_in_any_range(RemoteIP, InternalSubnets))
| extend ParsedProtocol = case(
  RemotePort == 44818, "CIP/EtherNet-IP",
  RemotePort == 2222, "Rockwell Service",
  "Unknown")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort, ParsedProtocol, InitiatingProcessFileName
| order by Timestamp desc


// Detect anomalous project file access patterns
let ProjectExtensions = dynamic([".acd", ".l5x", ".mer", ".apf"]);
DeviceFileEvents
| where FileName has_any (ProjectExtensions)
| where ActionType in ("FileCreated", "FileModified", "FileDeleted")
| extend FileExtension = tostring(split(FileName, ".")[-1])
| where isnotempty(FileExtension) and FileExtension in (ProjectExtensions)
| summarize FileCount = dcount(FileName), ActivityTypes = make_set(ActionType) by DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, bin(Timestamp, 5m)
| where FileCount > 5
| project-reorder Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, FileCount, ActivityTypes
| order by Timestamp desc


// Correlate engineering workstation activity with OT network traffic
let EngineeringWorkstations = DeviceProcessEvents
| where ProcessCommandLine contains_any ("RSLogix", "Studio5000", "FactoryTalk")
| distinct DeviceId, DeviceName
| extend DeviceIP = tostring(split(DeviceName, "")[0]);
DeviceNetworkEvents
| where DeviceId in ((EngineeringWorkstations | project DeviceId))
| where NetworkProtocol in ("TCP", "UDP") and RemotePort in (44818, 2222, 102)
| summarize ConnectionCount = count(), RemoteIPs = make_set(RemoteIP, 100) by DeviceName, RemotePort, InitiatingProcessFileName, bin(Timestamp, 15m)
| where ConnectionCount > 10
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor

-- Hunt for suspicious network connections to Rockwell PLC ports
SELECT Timestamp, PID, ProcessName, RemoteAddress, RemotePort, State
FROM netstat()
WHERE RemotePort IN (44818, 2222)
  AND State =~ 'ESTABLISHED'
  AND NOT RemoteAddress =~ '^(10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.|127\.)'
ORDER BY Timestamp DESC


-- Identify recently modified Rockwell project files
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs="/*/*.acd", /*/*.l5x", /*/*.mer")
WHERE Mtime > now() - 24h
ORDER BY Mtime DESC

Remediation Script (PowerShell)

PowerShell

<#
.SYNOPSIS
    Rockwell OT Security Assessment and Hardening Script
.DESCRIPTION
    Audits network exposure, validates PLC project file integrity, and documents security posture
    for Rockwell Automation OT environments per CISA AA26-097A.
.NOTES
    Run on management workstations with network visibility to OT assets.
#>

# Function to check for open CIP ports to external IPs
function Test-CIPExternalExposure {
    Write-Host "[*] Checking for external connections to CIP ports (44818, 2222)..." -ForegroundColor Cyan
    
    $cipPorts = @(44818, 2222)
    $internalSubnets = @("10.", "192.168.", "172.16.", "172.17.", "172.18.", "172.19.", "172.20.", "172.21.", "172.22.", "172.23.", "172.24.", "172.25.", "172.26.", "172.27.", "172.28.", "172.29.", "172.30.", "172.31.")
    
    $connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue | 
                    Where-Object { $_.RemotePort -in $cipPorts } |
                    Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess
    
    $externalConnections = @()
    foreach ($conn in $connections) {
        $isInternal = $false
        foreach ($subnet in $internalSubnets) {
            if ($conn.RemoteAddress.StartsWith($subnet)) {
                $isInternal = $true
                break
            }
        }
        if (-not $isInternal) {
            $process = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue | Select-Object ProcessName, Path
            $conn | Add-Member -MemberType NoteProperty -Name ProcessName -Value $process.ProcessName -Force
            $conn | Add-Member -MemberType NoteProperty -Name ProcessPath -Value $process.Path -Force
            $externalConnections += $conn
        }
    }
    
    if ($externalConnections.Count -gt 0) {
        Write-Host "[!] ALERT: Found $($externalConnections.Count) external connections to CIP ports:" -ForegroundColor Red
        $externalConnections | Format-Table -AutoSize
        return $true
    } else {
        Write-Host "[+] No external CIP connections detected." -ForegroundColor Green
        return $false
    }
}

# Function to audit Rockwell project file integrity
function Test-ProjectFileIntegrity {
    Write-Host "[*] Auditing Rockwell project file modifications in last 24 hours..." -ForegroundColor Cyan
    
    $projectExtensions = @("*.acd", "*.l5x", "*.mer", "*.apf")
    $searchPaths = @("C:\Projects", "C:\RSLogix 5000 Projects", "C:\FactoryTalk", "D:\Projects")
    
    $modifiedFiles = @()
    foreach ($path in $searchPaths) {
        if (Test-Path $path) {
            foreach ($ext in $projectExtensions) {
                $files = Get-ChildItem -Path $path -Filter $ext -Recurse -ErrorAction SilentlyContinue | 
                         Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-24) }
                $modifiedFiles += $files
            }
        }
    }
    
    if ($modifiedFiles.Count -gt 0) {
        Write-Host "[!] ALERT: Found $($modifiedFiles.Count) project files modified in the last 24 hours:" -ForegroundColor Yellow
        $modifiedFiles | Select-Object FullName, LastWriteTime, Length, @{Name="Hash";Expression={(Get-FileHash -Path $_.FullName -Algorithm SHA256).Hash}} | Format-Table -AutoSize
        return $true
    } else {
        Write-Host "[+] No recent project file modifications detected." -ForegroundColor Green
        return $false
    }
}

# Function to generate OT security report
function New-OTSecurityReport {
    $reportPath = "C:\Temp\OTSecurityAssessment_$(Get-Date -Format 'yyyyMMdd_HHmmss')."
    $report = @{
        ScanTime = Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ"
        Hostname = $env:COMPUTERNAME
        CIPExternalExposure = Test-CIPExternalExposure
        ProjectFileModifications = Test-ProjectFileIntegrity
        AdvisoryReference = "CISA AA26-097A"
        Recommendations = @(
            "Isolate PLCs from the internet",
            "Implement network segmentation with DMZ architecture",
            "Disable CIP/EtherNet-IP exposure on public interfaces",
            "Enable authentication and access control on PLC project files",
            "Implement anomaly detection for HMI/SCADA tag writes",
            "Review and validate all PLC logic against known-good baselines"
        )
    }
    
    $report | ConvertTo-Json -Depth 4 | Out-File -FilePath $reportPath
    Write-Host "[*] Security report saved to: $reportPath" -ForegroundColor Cyan
}

# Execute assessment
Write-Host "`n[*] Starting Rockwell OT Security Assessment (CISA AA26-097A)..." -ForegroundColor Cyan
New-OTSecurityReport
Write-Host "[*] Assessment complete. Review findings and implement immediate remediation." -ForegroundColor Cyan

Remediation

Immediate Actions (Within 24 Hours)

Isolate Internet-Facing OT Devices
- Immediately disconnect any Rockwell Automation PLCs or HMIs with public IP addresses from the internet
- Verify through firewall rule audits that CIP/EtherNet-IP ports (TCP 44818, 2222) are not accessible from external networks
Validate Project File Integrity
- Compare all active PLC project files (.ACD, .L5X) against known-good backups
- Upload known-good configurations to PLCs to ensure no malicious logic persists
- Document and investigate any project files with recent unauthorized modifications
Review HMI/SCADA Data Integrity
- Cross-reference physical process values with HMI/SCADA display values
- Implement manual verification of critical process points until integrity is confirmed

Short-Term Remediation (Within 72 Hours)

Network Segmentation Implementation
- Establish proper Purdue Model network architecture with DMZ between enterprise and OT zones
- Implement firewalls restricting CIP protocol traffic to approved engineering workstations only
- Deploy IDS/IPS signatures for anomalous CIP protocol activity
Access Control Hardening
- Enable authentication on all Rockwell controllers supporting it (requires firmware update for legacy models)
- Implement role-based access control (RBAC) for project file modifications
- Rotate all OT-related credentials, especially for PLC and HMI access
Monitoring and Detection
- Deploy OT-specific monitoring solutions capable of parsing CIP/EtherNet-IP protocol
- Configure alerts for any unauthorized project file uploads or downloads
- Implement baseline anomaly detection for HMI/SCADA tag writes and PLC register changes

Vendor-Specific Guidance

Rockwell Automation Recommendations:

Review advisory: Rockwell Security Advisory
Update firmware to latest versions supporting enhanced security features
Implement FactoryTalk Security for centralized access management
Utilize GuardLogix Safety Controllers for safety-critical applications

CISA Deadlines:

Per CISA Binding Operational Directive (BOD) 23-02: Federal agencies must patch/secure by May 7, 2026
Private sector critical infrastructure operators are strongly advised to meet the same timeline

Configuration Changes

Apply the following hardening configurations: