Iran‑Backed APT Groups Exploit OT Vulnerabilities, Disrupt U.S. Critical Infrastructure
What Happened — Iranian‑affiliated advanced‑persistent threat (APT) groups are actively probing and exploiting internet‑exposed operational‑technology (OT) devices—primarily Rockwell Automation/Allen‑Bradley PLCs and some Siemens controllers. The campaign, documented in a joint FBI‑DoD advisory, has caused real‑time operational disruption and financial loss across multiple U.S. critical‑infrastructure sectors.
Why It Matters for TPRM —
- OT devices are often managed by third‑party vendors or service providers, expanding the attack surface beyond the primary organization.
- Exploitation of CVE‑2021‑22681 demonstrates that known vulnerabilities remain unpatched in many supply‑chain environments.
- Disruption of water, energy, and municipal services can cascade to downstream business partners, creating contractual and reputational risk.
Who Is Affected — Energy & utilities, water & wastewater treatment, municipal governments, and any third‑party that relies on OT platforms from Rockwell, Siemens, or similar manufacturers.
Recommended Actions —
- Conduct an inventory of all internet‑facing OT assets and segment them from corporate networks.
- Verify that CVE‑2021‑22681 and any related patches are applied across all Rockwell/Allen‑Bradley devices.
- Review vendor contracts for OT security clauses; require proof of patch management and network‑segmentation controls.
- Monitor network traffic for anomalous PLC communications and audit HMI/SCADA logs for unauthorized changes.
Technical Notes — The attacks leverage a known vulnerability (CVE‑2021‑22681) in Rockwell Automation’s OT firmware, exploiting mis‑configured, internet‑exposed PLCs. Threat actors manipulate project files and HMI/SCADA displays, causing false readings and equipment shutdowns. No ransomware demand was observed, but the activity mirrors prior IRGC‑linked campaigns against Unitronics PLCs. Source: The Record