Recent guidance from the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency highlights an urgent and evolving threat to OT environments. In a joint advisory, the agencies warned that Iranian-affiliated threat actors have actively exploited internet-facing PLCs (programmable logic controllers) across U.S. critical infrastructure sectors, including water and wastewater systems, energy, and government facilities. The advisory, AA26-097A, highlights a pattern that many in the industry have long suspected but is now being observed in real-world incidents: These actors are no longer relying on software vulnerabilities or zero-day exploits to impact industrial environments. Instead, they are leveraging legitimate access paths, native industrial protocols, and standard engineering tools to directly interact with control systems.
Exposed Control Paths, Not Vulnerabilities
Exposed control paths, not unpatched vulnerabilities, are the primary risk to OT environments. Traditional strategies built around identifying vulnerabilities, patching systems, and monitoring malicious behavior remain important, but the latest advisory makes it clear: if an attacker can reach your OT environment, they can operate within it.
In multiple observed cases, attackers were able to directly connect to internet-facing PLCs using standard industrial communication ports such as 44818, 2222, 102, and 502. Using widely available engineering software, they established valid sessions with these devices and interacted with them as if they were authorized operators.
The distinction between reachable versus vulnerable is a fundamental shift. The issue is no longer just whether a system is vulnerable, but whether it is reachable. If a control system can be accessed over a network, it can be operated. And if it can be operated it can be disrupted.
How Modern OT Attacks Are Executed
The attack pattern outlined in the advisory follows a straightforward path:
- Initial Access: Exposure of PLCs or OT systems to external networks, either directly or through remote access pathways such as VPNs or jump hosts
- Interaction via Legitimate Means: From there, attackers use legitimate engineering tools such as Studio 5000 Logix Designer to initiate connections to the device. Use of engineering workstations, vendor tools, or native protocols (e.g., Modbus, EtherNet/IP)
- Execution:
- Modification of control logic
- Upload/download of project files
- Issuance of commands to physical processes
- Impact: Operational disruption, safety risks, and potential financial loss
What makes this approach effective is that it bypasses many traditional security controls. There is nothing inherently “malicious” at the protocol or tool level to trigger detection.
Traditional Controls Are No Longer Sufficient
Most OT environments today rely on a combination of firewalls, VPNs, segmentation strategies, and remote access controls. While necessary, these measures have inherent limitations:
- Firewalls depend on correct configuration and rule management; they also allow required protocols by design.
- VPNs and remote access rely on credential integrity
- Detection/monitoring systems operate after access has already been established
In the scenarios highlighted by CISA, attackers did not need to bypass these controls in a conventional sense. They simply used the access that already existed.
This is why the advisory places strong emphasis on eliminating unnecessary exposure and tightening network segmentation.
Combining Segmentation & Deterministic Isolation
Segmentation has long been a recommended best practice, but not all segmentation is equal.
Logical segmentation, enforced through software and policy, can reduce risk but does not eliminate it. Misconfigurations, credential compromise, or indirect access paths can still create unintended connectivity between IT and OT environments.
What is needed in high-risk environments is deterministic isolation.
Eliminating the Attack Path with One-Way Communication
A more robust approach is to remove the possibility of inbound access altogether.
Data diodes enforce hardware-based, one-way communication between networks. This allows operational data to flow out of the control environment for monitoring, analytics, or compliance purposes, while making it technically impossible for any data, command, or connection to flow back in.
In the context of the attack patterns described by CISA, this has a direct impact:
- No remote commands can reach PLCs
- No engineering tools can connect from external networks
- No malware or unauthorized traffic can enter the control environment
This is not a matter of detecting or blocking malicious activity. It is about eliminating the path entirely.
Aligning with CISA’s Recommendations
CISA’s mitigation guidance emphasizes three core actions:
- Removing OT assets from direct internet exposure
- Strengthening segmentation between IT and OT networks
- Restricting and controlling remote access
One-way communication architectures operationalize these recommendations at a higher assurance level by ensuring that critical control systems are not reachable, even if upstream networks are compromised.
Rethink OT Security: From Defense to Design
Advisory AA26-097A makes the case that defensive assumptions must evolve alongside the threats they address. If attackers no longer need to exploit vulnerabilities, then focusing solely on detection and prevention is insufficient. The priority must shift to architectural controls that remove entire classes of risk. Making OT systems unreachable from external networks is one such control.
Prioritizing Security
The latest CISA advisory underscores a reality that organizations can no longer ignore:
- Exposure equals risk in OT environments
- As attackers increasingly leverage legitimate access and native functionality, the most effective defense is not just better monitoring or stricter policies but eliminating unnecessary connectivity altogether.
- Designing OT environments to be unreachable by design is no longer a theoretical best practice. It is becoming a practical requirement for ensuring operational resilience.
