Back to Intelligence

Rockwell Logic Implants: Defending Against Iranian APT Targeting of Exposed PLCs

SA
Security Arsenal Team
April 13, 2026
6 min read

On April 7, 2026, a joint advisory from the FBI, CISA, and the NSA underscored a severe threat to Operational Technology (OT): Iranian-linked Advanced Persistent Threats (APTs) are actively scanning and exploiting internet-exposed Rockwell Automation PLCs. Security researcher Censys has since identified 5,219 devices currently exposed to the open internet, with a significant majority residing within the United States.

This is not a theoretical risk. We are seeing adversaries leverage "logic implant" techniques to alter the physical behavior of industrial processes. For defenders, the message is stark: any Rockwell Logix controller reachable from the public internet is a compromise waiting to happen. Immediate action is required to audit your perimeter, identify unauthorized exposures, and remediate the underlying vulnerabilities.

Technical Analysis

Affected Products & Platforms The primary targets are Rockwell Automation Logix-based controllers, specifically:

  • ControlLogix 5580 controllers
  • CompactLogix 5380 controllers
  • GuardLogix 5580 controllers
  • Other Logix 5000 series controllers utilizing the EtherNet/IP network interface.

Vulnerability & Exploitation The primary vector of concern for this specific campaign involves the exploitation of CVE-2024-6242 (CVSS Score 10.0). This vulnerability resides in the Common Industrial Protocol (CIP) implementation used over EtherNet/IP.

  • Mechanism: The flaw allows a remote, unauthenticated attacker to send specially crafted CIP messages to the controller. This can lead to a denial-of-service (DoS) condition or, more critically, logic implantation—the ability to upload malicious ladder logic or modify existing control logic without authorization.
  • Attack Chain:
    1. Discovery: Attackers scan the internet for TCP port 44818 (CIP) and UDP 2222 (EtherNet/IP).
    2. Initial Access: Upon finding an exposed PLC, the attacker establishes a CIP connection.
    3. Execution: utilizing CVE-2024-6242, the attacker bypasses authentication checks to write malicious control instructions directly to the controller's memory.
    4. Impact: The attacker gains the ability to physically manipulate the machinery controlled by the PLC.

Exploitation Status

  • In-the-Wild: Confirmed active exploitation by Iranian APT groups (specifically targeting US critical infrastructure sectors).
  • CISA KEV: Listed in the Known Exploited Vulnerabilities Catalog.

Detection & Response

The following detection mechanisms focus on identifying the network exposure of OT assets and suspicious activity indicative of CIP protocol manipulation or engineering workstation compromise.

SIGMA Rules

YAML
---
title: Rockwell PLC CIP Exposure on Public Interface
id: 8a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
status: experimental
description: Detects inbound network connections to Rockwell EtherNet/IP ports (44818/TCP, 2222/UDP) from external non-internal IP ranges, indicating potential exposure or scanning.
references:
  - https://www.cisa.gov/news-events/alerts/2026/04/07/iranian-apt-actors-targeting-ot-devices
author: Security Arsenal
date: 2026/04/08
tags:
  - attack.initial_access
  - attack.t1190
  - ics.scada
logsource:
  category: firewall
detection:
  selection:
    DestinationPort:
      - 44818
      - 2222
    Protocol:
      - TCP
      - UDP
  filter_internal:
    SourceIpRange:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
      - 'fc00::/7'
  condition: selection and not filter_internal
falsepositives:
  - Legitimate remote vendor access via VPN (if VPN IPs are not classified as internal in logs)
level: critical
---
title: Suspicious Process Spawn by Rockwell Engineering Software
id: 9b3c4d5e-6f7g-8h9i-0j1k-2l3m4n5o6p7q
status: experimental
description: Detects the execution of cmd.exe or powershell.exe spawned by Rockwell Automation engineering tools (Studio 5000, RSLogix), often indicative of exploitation or scripting logic changes.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/08
tags:
  - attack.execution
  - attack.t1059.001
  - ics.impact
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|contains:
      - '\Studio 5000\'
      - '\RSLogix 5000\'
      - '\FactoryTalk Services\'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate automation scripts launched by engineers
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for inbound connections to Rockwell CIP ports from non-corporate IPs
let PrivateIPs = datatable(IP:string) ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16', 'fc00::/7'];
DeviceNetworkEvents
| where DeviceName in~("Firewall", "Gateway", "OT-Sensor") // Adjust for specific device naming or use CommonSecurityLog
| extend DestinationPort = toint(RemotePort)
| where DestinationPort in (44818, 2222)
| extend IsPrivate = ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16")
| where IsPrivate == false
| summarize count() by RemoteIP, DeviceName, DestinationPort
| order by count_ desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for established network connections to Rockwell CIP ports (44818) on Windows endpoints
-- Note: This primarily detects Engineering Workstations or HMI servers exposed to the internet
SELECT
  Pid, Name, CommandLine, Exe, Username,
  RemoteAddress, RemotePort, State
FROM win_netstat()
WHERE RemotePort == 44818
   OR RemotePort == 2222

-- Supplemental: Hunt for Rockwell Engineering Software processes
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name =~ 'Studio5000.exe'
   OR Name =~ 'RSLogix5000.exe'
   OR Name =~ 'LogixDesigner.exe'

Remediation Script (PowerShell)

PowerShell
<#
.SYNOPSIS
    Audit internal network for Rockwell PLC ports 44818 and 2222 exposure.
.DESCRIPTION
    Scans a provided IP range or subnet list for open EtherNet/IP ports to identify shadow IT or
    misconfigured devices exposed to the internal network that could be pivoted to.
#>

param (
    [string[]]$TargetSubnets = @("192.168.1.0/24"),
    [int]$Timeout = 500
)

$Ports = @(44818, 2222)
$Results = @()

Write-Host "Starting Rockwell PLC Exposure Audit..." -ForegroundColor Cyan

foreach ($Subnet in $TargetSubnets) {
    $IPRange = Get-NetIPAddress -AddressFamily IPv4 | Where-Object { $_.IPAddress -like ("*" + ($Subnet -split "/")[0].Substring(0,3) + "*") } # Crude range expansion logic for demo
    
    # In a real scenario, iterate through calculated IPs. For safety, we scan localhost/gateway as demo.
    $TestIPs = @("127.0.0.1", (Get-NetRoute | Where-Object DestinationPrefix -eq "0.0.0.0/0").NextHop)
    
    foreach ($IP in $TestIPs) {
        foreach ($Port in $Ports) {
            try {
                $TcpClient = New-Object System.Net.Sockets.TcpClient
                $Connect = $TcpClient.BeginConnect($IP, $Port, $null, $null)
                $Wait = $Connect.AsyncWaitHandle.WaitOne($Timeout, $false)
                
                if ($Wait) {
                    $TcpClient.EndConnect($Connect)
                    $Results += [PSCustomObject]@{
                        IP = $IP
                        Port = $Port
                        Status = "OPEN"
                        Timestamp = Get-Date
                    }
                    Write-Host "[ALERT] Open Rockwell Port Found: $IP : $Port" -ForegroundColor Red
                }
                $TcpClient.Close()
            } catch {
                # Port closed or filtered
            }
        }
    }
}

if ($Results) {
    $Results | Export-Csv -Path "Rockwell_Exposure_Report.csv" -NoTypeInformation
} else {
    Write-Host "No common Rockwell ports detected open on target scope." -ForegroundColor Green
}

Remediation

  1. Immediate Isolation: If a Rockwell PLC is found to be internet-exposed, disconnect it from the WAN immediately. These devices are designed for isolated operational environments and are not built to withstand public internet scrutiny.

  2. Patch Management: Apply the patches for CVE-2024-6242 released by Rockwell Automation (Security Advisory #AD2024...) immediately. The updated firmware mitigates the unauthenticated logic implantation vulnerability.

    • Action: Review firmware versions for all ControlLogix and CompactLogix controllers and update to v35.011 or higher (or the specific non-vulnerable version specified in the vendor advisory).

  3. Network Segmentation (Purdue Model): Enforce strict demilitarized zones (DMZ). PLCs (Level 1) must never communicate directly with the Internet. All access must be relayed through a bastion host or application gateway in the DMZ, with strict firewall rules allowing only necessary CIP traffic from authorized Engineering Workstations.

  4. Ingress Filtering: Configure perimeter firewalls to block inbound traffic on TCP/UDP 44818 and UDP 2222 from the internet. No legitimate business case exists for an unsolicited connection from the public internet to a PLC.

Official Advisories:

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub

alert-fatiguetriagealertmonitorsocrockwell-automationics-scadairanian-aptcve-2024-6242

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action