Iran's PLC Campaign: OT/IT Convergence Risks for SAMA Banks

CISA's April 2026 advisory AA26-097A confirms what many ICS defenders feared: an Iranian-affiliated APT is actively manipulating internet-exposed Rockwell Automation PLCs across U.S. water, energy, and government facilities — without using a single zero-day. For SAMA-regulated financial institutions, the implications reach further than the headlines suggest, because the same PLC and HMI families quietly run data center cooling, branch physical access, UPS arrays, and ATM logistics in Saudi Arabia.

The Campaign: Living Off Vendor Tooling, Not Exploits

According to CISA, the Iranian threat actor reaches PLCs that have been left exposed on the public internet — typically through misconfigured firewalls, vendor remote-access portals, or contractor VPN gaps — and connects directly using legitimate vendor software such as Rockwell Studio 5000 Logix Designer. Once authenticated (often with default or weak engineering credentials), the operator opens project files, modifies ladder logic, and pushes corrupted data to the HMI/SCADA layer. There is no malicious binary to detect, no CVE to patch, and very little anomalous network traffic — which is precisely the point.

This is the operational technology equivalent of a domain admin logging in with their own password. The activity blends into normal engineering workflow, defeats most signature-based controls, and is invisible to IT security teams that have never been granted visibility into the OT network in the first place.

Why "Living-off-the-Land" Changes the OT Threat Model

For years, OT security guidance assumed that attackers needed exotic capabilities — Stuxnet-class implants, custom protocol fuzzers, or insider-supplied schematics. The 2026 campaign rejects that assumption. VulnCheck's recent telemetry shows that 56.4% of ransomware-linked CVEs in 2025 were first weaponized as zero-days, but Iran's PLC operators didn't need a CVE at all. Internet exposure plus weak engineering authentication was sufficient.

That lowers the barrier for every adversary watching from the sidelines. Hacktivist groups, ransomware affiliates targeting industrial sites, and other state-aligned APTs (notably MuddyWater and APT35, both with documented interest in Saudi infrastructure) can now reuse the same playbook against any organization with internet-reachable Allen-Bradley CompactLogix, ControlLogix, or Micro800 controllers — or comparable Siemens S7, Schneider M580, and Mitsubishi MELSEC equipment. Saudi banks are not water utilities, but they share the underlying engineering platforms.

Impact on Saudi Financial Institutions

SAMA-regulated banks rarely think of themselves as ICS operators, yet most run a meaningful OT footprint: precision cooling and chillers in their primary and DR data centers, building management systems (BMS) governing physical access and CCTV, UPS and standby generation telemetry, fire suppression interlocks, and increasingly the cash-handling robotics inside cash centers. Many of these systems are managed by facility contractors who insist on remote engineering access — exactly the vector CISA identified.

SAMA Cyber Security Framework controls 3.3.5 (Asset Management for OT/ICS), 3.3.13 (Network Security), and 3.3.14 (Cryptographic Controls) all assume the bank can identify, segregate, and authenticate access to these assets. The NCA Essential Cybersecurity Controls (ECC-1:2018, sub-control 2-13) and the more prescriptive OTCC-1:2022 go further, mandating architectural segregation between IT and OT and prohibiting direct internet exposure of control systems. A Riyadh-based bank discovering a Studio 5000 session originating from a Tehran-allocated IP would face simultaneous CSCC, ECC, OTCC, and PDPL incident-reporting obligations within 72 hours.

Defensive Priorities for SAMA-Regulated Banks

1. Run an external attack-surface scan today against your data center, DR site, and cash-center IP ranges using Shodan, Censys, or your TI provider — specifically searching for Rockwell port 44818 (EtherNet/IP), 2222, Siemens 102 (S7comm), Modbus 502, and BACnet 47808. Anything responding from a public IP is a finding.
2. Enforce a Purdue Model boundary between Level 3 (operations) and Levels 0–2 (control). All engineering access must traverse a jump host with MFA, session recording, and time-bound credentials — never a flat VPN to the contractor's laptop.
3. Replace default and shared engineering passwords on every PLC, HMI, and historian. Where firmware permits, enable controller mode-switch keying and vendor-native CIP Security or equivalent.
4. Deploy passive OT monitoring (Claroty, Nozomi, Dragos, or equivalent) on a SPAN port at each plant cell. The goal is asset inventory and protocol-aware alerting, not active scanning, which can crash legacy controllers.
5. Update the Cyber Incident Response Plan to include OT scenarios with explicit RACI for Facilities, IT, and the SOC. Tabletop a "logic tampering" event quarterly — most banks have never rehearsed one.
6. Map every facility-management contractor to the SAMA Third-Party Cyber Security Standard. Contracts must compel vendor MFA, log forwarding to your SIEM, and a right-to-audit clause covering the engineering workstations they bring on-site.
7. Validate the gap with an OT-specific assessment. A scoped engagement combining external exposure mapping, internal Purdue review, and vendor-access audit typically surfaces 15–25 findings in a first pass.

Conclusion

The Iranian PLC campaign is not an exotic threat reserved for utilities. It is a reminder that the boring, contractor-managed, "facilities" half of every Saudi bank's estate is now a regulated cybersecurity domain — and one that adversaries can compromise with vendor software and a search engine. Closing that gap is no longer optional under SAMA CSCC, NCA OTCC, and the data-protection lens of PDPL.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment that includes an OT/IT convergence baseline against CSCC, ECC, and OTCC.