🛡️ SecOps

CISA Publishes Dual ICS Advisories Covering Critical Flaws in Rockwell and Siemens OT Products

CISA released two industrial control system advisories on 31 March — ICSA-26-090-01 and ICSA-26-090-02 — covering critical and high-severity vulnerabilities in Rockwell Automation ControlLogix and Siemens SIMATIC S7 products. The advisories follow a pattern of stepped-up CISA ICS disclosure activity in March and arrive against a backdrop of active Iranian-affiliated targeting of operational technology environments.

4 min read
#ics#ot#scada#rockwell#siemens#cisa#critical-infrastructure#plc

Two Advisories, Overlapping Risk

CISA published two ICS security advisories on 31 March 2026 (day 090 of the year, per CISA’s advisory naming convention), covering vulnerabilities in two of the most widely-deployed industrial automation platforms in critical infrastructure environments globally.

ICSA-26-090-01 covers vulnerabilities in Rockwell Automation ControlLogix and CompactLogix programmable logic controllers, including the EtherNet/IP communications stack. These are the same Allen-Bradley platforms that Iranian-affiliated threat actors have been actively targeting across US water, energy, and government facilities — making this advisory particularly urgent for operators of affected hardware.

ICSA-26-090-02 covers a high-severity vulnerability in the Siemens SIMATIC S7-1500 PLC series and the associated TIA Portal engineering software. The vulnerability affects the OPC UA server implementation and could allow a remote, unauthenticated attacker to cause a denial-of-service condition by sending malformed OPC UA packets, disrupting communications between the PLC and supervisory control systems.

Context: Why March ICS Advisories Matter More

March has seen an unusual volume of ICS advisory activity from CISA, and the advisories land at a moment when operational technology security has moved sharply up the threat hierarchy. Intelligence agencies have documented active, ongoing disruption campaigns by Iranian-affiliated APT actors against internet-exposed PLCs across US critical infrastructure — specifically targeting Rockwell/Allen-Bradley devices.

The attack pattern documented by US agencies involves direct manipulation of PLC project files and HMI displays, resulting in operational disruption rather than data theft. In several confirmed incidents, attackers have caused physical disruption to industrial processes. This is not theoretical risk.

Who Is Exposed

Rockwell Automation ControlLogix and CompactLogix platforms are installed across hundreds of thousands of facilities globally — water treatment, electricity generation and distribution, oil and gas, food and beverage manufacturing, and building automation. Many older installations were designed to be accessible over OT network segments with minimal authentication on the assumption that physical network isolation would protect them. That isolation has eroded over years of IT/OT convergence.

Siemens SIMATIC S7-1500 is deployed extensively in European manufacturing and process automation, and in critical national infrastructure including rail, utilities, and chemical processing. Siemens advises restricting OPC UA access to trusted engineering workstations and ensuring the affected firmware versions are updated.

ICS Vulnerability Management Challenges

Unlike IT systems where patching is a routine procedure, ICS patching requires careful planning. PLC firmware updates often require scheduled plant downtime, coordination with engineering teams, and testing to verify that the update does not affect the logic programme running on the device. This creates windows of exposure that can span weeks or months after a vulnerability is published.

For this reason, CISA’s ICS advisories always include compensating control guidance alongside patch recommendations. For both ICSA-26-090-01 and ICSA-26-090-02, the recommended compensating controls include:

  • Network segmentation: PLCs should not be directly reachable from the internet or from corporate IT networks without a properly configured industrial DMZ (IDMZ) with explicit access controls.
  • Disable unnecessary services: If EtherNet/IP or OPC UA remote access is not required for operations, disable the relevant service at the network level.
  • Access control lists: Restrict communications to the PLC to known engineering workstation IP addresses only.
  • Monitoring: Deploy OT-aware network monitoring to detect anomalous commands or unexpected connections to PLC devices.

  1. Identify all ControlLogix, CompactLogix, and SIMATIC S7-1500 devices in your OT environment and check current firmware versions against the affected versions listed in ICSA-26-090-01 and ICSA-26-090-02 respectively.

  2. Assess internet exposure immediately. Any PLC reachable directly from the internet is a critical incident waiting to happen — isolate it now and schedule proper network segmentation work.

  3. Work with your OT engineering team to schedule firmware updates within the next maintenance window. For Rockwell devices specifically, given confirmed Iranian APT targeting, this should be treated as priority one.

  4. Review access logs for EtherNet/IP and OPC UA services for unexpected connection attempts, particularly from IP addresses outside your operational subnet range.

  5. Subscribe to CISA ICS Advisory email notifications if you are not already. The volume and urgency of OT vulnerability disclosures has increased significantly in the first quarter of 2026.