The threat actor profile most likely to cause an OT incident in 2026 is not a sophisticated nation-state group with custom malware and zero-days. It is an actor with moderate capabilities — potentially state-affiliated, potentially hacktivist — using basic techniques against internet-exposed control systems that have never had their default credentials changed. CISA’s April 2026 joint advisory, combined with the December 2025 Poland energy sector incident, frames this problem clearly. The barrier to entry for disruptive OT attacks has dropped to a level accessible to a broad range of adversaries.
The April 2026 CISA Advisory
On 7 April 2026, CISA issued a joint advisory with FBI and partner agencies warning of ongoing Iranian-affiliated cyber activity targeting internet-exposed programmable logic controllers (PLCs) deployed across multiple US critical infrastructure sectors. The targeted sectors included government services, water and wastewater systems, and energy. The primary concern was not sophisticated intrusion tooling — it was the exploitation of PLCs accessible directly from the internet with default or weak credentials.
The advisory describes the attack pattern:
- Internet scanning to identify exposed PLCs (using tools like Shodan, Censys, or FOFA)
- Authentication using default vendor credentials, which are widely documented
- Direct manipulation of PLC parameters — setpoint changes, mode alterations, process value overrides
- In some cases, defacement of HMI screens with politically motivated messaging
The intent has ranged from disruptive to performative. But the infrastructure is the same — the difference between a hacktivist changing a display to show a political message and an actor causing a physical process anomaly is often just the choice of what to modify.
The Poland Incident: What Escalated OT Attacks Look Like
In December 2025, malicious actors targeted renewable energy plants, a combined heat and power facility, and a manufacturing company in Poland. The attack path was similar — initial access through vulnerable internet-facing edge devices — but the impact went further: the attackers deployed wiper malware, causing physical damage to Remote Terminal Units (RTUs) and wiping HMI data.
RTU damage requires physical replacement or field restoration. In energy environments, these devices sit at the boundary between supervisory networks and field instrumentation — they relay commands to and readings from physical equipment including generators, switchgear, pumps, and valve actuators. Wiping or corrupting RTU firmware disrupts both monitoring and control capabilities simultaneously.
CERT Polska’s incident report, amplified by CISA on 10 February 2026, documented the attack as a deliberate escalation beyond espionage or disruption — it was a destructive operation against OT hardware. The edge device vector — compromised internet-facing VPN or remote access equipment — continues to be the dominant initial access pathway for OT-targeting attacks.
Why Internet-Exposed PLCs Remain Widespread
The persistence of this problem is partly architectural and partly organisational. Many industrial facilities deployed remote access to PLCs and HMIs during 2020–2022 to enable remote maintenance and monitoring without site visits. In many cases, this was done expediently — direct internet exposure, default credentials retained, no VPN or authentication layer.
The operational argument against changing default credentials is that the change might cause communication failures in tightly coupled systems where the credential is stored in multiple places. This is a real concern; it has been used to justify indefinite deferral. The result is a global population of internet-exposed PLCs — visible on Shodan today — running Siemens SIMATIC, Schneider Electric Modicon, Rockwell Allen-Bradley, and other platforms, accessible with vendor-default login credentials.
Common default credential pairs that remain in use in production environments:
| Vendor / Product | Common Default |
|---|---|
| Siemens SIMATIC S7 | (no authentication by default on older firmware) |
| Schneider Electric Modicon | User: USER, Pass: USER |
| Rockwell Micro820 | User: admin, Pass: admin |
| GE PACSystems | User: guest, Pass: guest |
| Mitsubishi MELSEC | (no default auth on many models) |
| Unitronics Vision | User: admin, Pass: 1234 |
Unitronics Vision PLCs were specifically targeted by Iranian actors in late 2023 (the CISA-named “CyberAv3ngers” campaign targeting US water utilities). The same vulnerability pattern — internet-exposed, default credentials — reappears in nearly every unsophisticated OT incident report.
Protocol Exposure: What Attackers See
When an attacker finds a PLC on Shodan, the accessible protocols determine what they can do without authentication:
Modbus (TCP/502): No native authentication or encryption. Any client with TCP access can read coil/register values and issue write commands. An attacker with Modbus access to a PLC controlling a pump can change setpoints, start or stop the pump, and read process values — all without credentials.
EtherNet/IP (TCP/44818): Supports CIP (Common Industrial Protocol). Authentication support varies by vendor and firmware version. Older Rockwell devices often lack access control on CIP connections from trusted network segments.
DNP3 (TCP/20000 or UDP): Primarily used in utilities (water, energy). Supports secure authentication in DNP3 SA (Secure Authentication v5), but many deployed devices do not have it enabled.
Siemens S7 (TCP/102): ISO-over-TCP. Older S7-300/400 PLCs have no authentication; any S7comm client with network access can read and write data blocks, change PLC operating mode (RUN/STOP/HALT).
Internet-exposed devices running these protocols without an authentication layer are not just vulnerable — they are trivially compromisable with free, publicly available tools (pymodbus, snap7, compal).
Recommended Actions for OT Asset Owners
Priority 1 — Eliminate direct internet exposure: Run an external scan of your own environment. Use Shodan.io with your organisation’s IP ranges or a dedicated external scan tool. Any PLC, RTU, HMI, or SCADA historian with a direct internet-facing IP address and an open industrial protocol port is an immediate remediation item. If remote access is genuinely required, it must go through a hardened VPN or industrial remote access platform (e.g., Tosibox, Secomea, Claroty Remote Access) with MFA.
Priority 2 — Change default credentials on all field devices: Build a systematic inventory. Use your asset discovery tool (Claroty, Dragos, Nozomi, Armis, or manual discovery for smaller environments) to enumerate PLCs, RTUs, and HMIs with vendor-default credentials. Work with maintenance engineers to change credentials in a controlled change window — have rollback procedures ready if communication failures occur. Document every changed credential in a privileged access management vault.
Priority 3 — Network segmentation: Field devices running Modbus, EtherNet/IP, or S7comm should not be reachable from corporate IT networks or the internet. A properly implemented Purdue Model — or its modern equivalent, IEC 62443 zones and conduits — places field devices in a Level 1 zone that requires traversal through a Level 3.5 DMZ to reach from higher network levels. If your field devices are reachable from a workstation on your corporate domain, your segmentation is insufficient.
Priority 4 — Enable vendor security features: Many modern PLC firmware releases include optional authentication features that are disabled by default for backwards compatibility. Siemens S7-1500 supports role-based access control and communication encryption; Rockwell FactoryTalk supports authentication for EtherNet/IP connections. Review vendor hardening guides for each platform in your environment — these guides exist and are typically free to access.
CISA’s advisory includes specific mitigation guidance and applies to organisations of all sizes and sectors. The threat is not theoretical — it is documented, active, and requires no advanced capabilities to execute.