On 7 April 2026, six US federal agencies — FBI, CISA, NSA, EPA, the Department of Energy, and US Cyber Command — jointly issued advisory AA26-097A. The target: internet-exposed programmable logic controllers made by Rockwell Automation. The actor: Iranian-affiliated APT groups, including those assessed by industry as CyberAv3ngers.

The advisory documents a specific and operational threat. Actors are actively scanning for and exploiting Rockwell CompactLogix and Micro850 PLCs, as well as Siemens S7 and other Modbus-capable devices. What makes this campaign technically significant is how the access is used: attackers are connecting with Rockwell's own engineering software, Studio 5000 Logix Designer, to interact with PLCs — traffic that is indistinguishable from routine maintenance activity. Once inside, they exfiltrate .ACD project files (which contain full PLC configuration), manipulate HMI and SCADA displays, and deploy Dropbear SSH to establish persistent access on OT endpoints.

The primary sectors named in the advisory are Government Facilities, Water/Wastewater, and Energy. But Rockwell PLCs are not confined to those environments. They are the controllers behind ship-to-shore cranes, automated stacking cranes, and conveyor systems in port terminals. On vessels, the same product families appear in ballast water management systems, propulsion control, and power management. If those PLCs are connected to the internet — via port Wi-Fi, cellular modem, or satellite link — without a VPN or proper network segmentation, the advisory applies directly.

Why this matters: Six agencies publishing a joint advisory is unusual. It is a signal of operational confidence in the intelligence — not a theoretical warning but a documented active campaign. The technique of using legitimate vendor tooling to blend with normal engineering traffic is significant: it defeats detection approaches that rely on alerting on unusual tools rather than unusual behaviour. Maritime OT environments, where remote engineering access via satellite is common, are particularly exposed to this vector.

One thing to do: Check whether any Rockwell or Allen-Bradley PLCs in your port or vessel environment are reachable from outside the control network. If Studio 5000 can reach them from an external network, an attacker can too. Start with PLCs connected via cellular modem or satellite. The advisory's mitigation is network isolation — there is no software patch that removes internet exposure.

Red Sky Alliance published its Vessel Impersonation and Supply Chain Report on 7 April 2026, covering malicious email campaigns observed in March. The report documents a consistent and specifically maritime-targeted social engineering method: emails using MV and MT vessel designations, port terminology, and recognisable transaction types in subject lines to deliver trojans and credential-stealing malware.

The subject lines documented in the report are not generic phishing. They read like operational traffic: "MV HLV REGINE PORT INQUIRY — PROFOMAR DA", "LIBRA HONOR AGENCY APPOINTMENT // PDA REQUEST", "PDA for Windermere (IMO 1067469)". A PDA — Proforma Disbursement Account — is a routine document in port agency operations. An operations coordinator who handles port calls knows exactly what a PDA request looks like, and that familiarity is the attack surface.

The targets are shipowners, ship managers, and maritime service vendors. The goal is not a single compromise but a chain: credential theft from one company creates access to partner systems, cargo data, and vessel communications. Red Sky Alliance feeds intelligence into MTS-ISAC and has a sustained track record tracking maritime-targeting malware campaigns, including Agent Tesla and Blackshades campaigns directed at shipping companies.

The technique is significant because it inverts the usual dynamic of phishing training. Generic awareness programmes teach staff to be suspicious of emails from unfamiliar senders using unusual language. These emails use correct maritime terminology, plausible vessel names, and transaction types that trigger action — not suspicion. Standard phishing awareness does not address maritime-specific lures.

Why this matters: The sophistication here is not technical — there are no zero-days involved. The sophistication is contextual knowledge. An attacker who knows what a PDA request is, and who receives one, has already cleared the most significant barrier in phishing: the moment of hesitation. The implication is that maritime organisations need awareness training that reflects the actual terminology and transaction types their staff handle, not a generic corporate phishing simulation.

One thing to do: Forward this to your operations team. Then ask honestly: would anyone in your office open an email with "MV [vessel name] AGENCY APPOINTMENT" in the subject line? If yes, that gap is your risk. A maritime-specific phishing simulation — using PDA requests, LOI documents, or disbursement accounts as lures — will tell you far more about your actual exposure than a generic test.

On 10 April 2026, Comparitech published a study of internet-facing industrial control systems communicating over Modbus TCP on port 502. They found 179 devices fully exposed: no authentication, no encryption, responding to commands from any IP address on the internet.

Modbus was created in 1979 as a simple, reliable protocol for connecting sensors to controllers on isolated factory floors. It was never designed to be internet-facing, and it was never designed for authentication — by the time those became concerns, Modbus was already embedded in tens of thousands of installations worldwide. The protocol remains in wide use today because industrial equipment has long lifespans and replacement is expensive. Any device running Modbus TCP that is reachable from the internet will respond to command packets from any source, without any form of verification.

The sectors Comparitech identified include power grids, manufacturing, and transportation. In maritime environments, Modbus is the default communication protocol for shipboard sensor systems: engine room monitoring, fuel level sensors, temperature and pressure gauges, and in many older installations, bridge-opening mechanisms and fuel transfer systems at ports. Each of the 179 exposed devices represents a point where an attacker can read operational data and, depending on device configuration, issue commands.

For ICS, 179 is not a small number. These are not misconfigured web servers — each is a potential point of physical disruption. An attacker reading engine room data gains intelligence about vessel operations. An attacker who can send commands to a fuel transfer system, or a bridge-opening mechanism at a river port, can cause physical consequences without any access to IT systems.

Why this matters: The maritime sector has been rightly focused on ransomware and IT network compromise. The Comparitech data is a reminder that some of the most critical exposures are simpler: legacy protocols with no authentication, directly internet-reachable because someone connected a modem to a sensor network without segmentation. There is no vulnerability to patch here — Modbus does not support authentication. The only mitigation is network isolation.

One thing to do: Run a port scan for TCP port 502 on your external IP ranges. If any Modbus device responds from the internet, you have a critical exposure that needs to be firewalled immediately. This takes less than ten minutes and requires no specialist tools. If you find one, treat it as a P1.

Full conference calendar: mc3.maritime-ogmios.tech