Rail׳s PLCs Are on the Target List. Here׳s the Field Guide.

Rail׳s PLCs Are on the Target List. Here׳s the Field Guide.

When CISA names Iran-affiliated APT actors actively exploiting programmable logic controllers across U.S. critical infrastructure, rail doesn’t get to sit this one out.

CISA Joint Cybersecurity Advisory AA26-097A confirms active exploitation of internet-facing PLCs across government services, energy, and water. The advisory is sector-specific in its examples — but the exposure pattern isn’t. Attackers don’t scan by industry. They scan by port and protocol. If your controller answers on TCP/102 (Siemens S7) or TCP/502 (Modbus) from the public internet, you are in scope.

Rail is built on PLCs. Signaling and interlockings. Grade crossing protection. Yard control. Rolling stock subsystems. Bridge and tunnel hydraulics. Fueling and facility infrastructure. Every one of those controllers sits a misconfigured cellular modem, a forgotten vendor VPN, or a default credential away from being the next headline.

The good news: the defensive playbook is already public, and it’s executable this week.

What the field guide covers

We pulled CISA’s guidance into a five-step workflow that OT engineers, SOC analysts, and rail safety leads can actually run against their environment:

• Discover. Outside-in scans of your ASN against industrial ports, cross-referenced with internal OT asset inventories – so no PLC, RTU, or networked controller is left off the list.
• Disconnect. Pull internet-facing controllers back behind VPN + MFA, audit every cellular modem, and lock physical mode switches to “Run.”
• Harden. Device, network, and identity-layer controls – patching, segmentation, MFA for every human with a path into OT.
• Monitor. Configuration drift, protocol anomalies, new assets, and outside-in exposure checks that keep running after the project is “done.”
• Validate. Map your detections and controls to the MITRE ATT&CK techniques named in the advisory – turning a checklist into evidence your auditors and your board will accept.

The full guide walks through each step with concrete actions, the specific industrial ports and services to check, detection use cases worth pre-building, and the evidence rail operators should retain to defend the program later.

Why Cervello wrote this

We built Cervello for rail. Every day, we help operators turn discovery, hardening, and monitoring from a one-time scramble into an always-on program, tuned to the realities of signaling, rolling stock, and trackside OT. AA26-097A is exactly the scenario our platform was built for.

If you’re working through the advisory and want a second set of eyes on rail-specific OT exposure, we’re here.