CENSYS researchers identified 5,219 Rockwell Automation PLC hosts exposed on the internet, with 74.6% of global exposure in the United States. According to Censys, these devices respond to EtherNet/IP (port 44818) and self-identify as Rockwell/Allen-Bradley devices, many running MicroLogix and CompactLogix firmware. The report notes that a large share of exposed devices are connected through cellular networks, with providers such as Verizon and AT&T accounting for a significant portion.
Attackers can scan and fingerprint exposed PLCs remotely, increasing the risk to critical infrastructure in sectors like energy and water, where field-deployed systems may rely on cellular or satellite links. Authorities have warned of Iran-linked APT activity exploiting internet-connected Rockwell PLCs, with U.S. agencies including FBI, CISA and NSA urging organisations to secure or disconnect exposed devices.
The piece, published by Pierluigi Paganini, quotes the report as highlighting that many exposed devices are on networked OT environments and calls for review of indicators of compromise and coordination with authorities for incident response.