By Brandon Hancock, J.D., CMMC-RP
CISA's April 7, 2026 advisory on Iranian-affiliated actors exploiting programmable logic controllers (PLCs) is a contractor issue. Any company that designs, installs, maintains, monitors, or remotely supports operational technology for government or critical-infrastructure customers should treat the advisory as a prompt to review internet exposure and remote-access controls.
PLC risk is not only an owner-operator problem
PLCs control physical processes. They are used in water systems, manufacturing, energy, building systems, and other operational environments. Contractors often touch them through engineering support, maintenance, integration, monitoring, and remote troubleshooting.
That means a contractor's tools, credentials, laptops, remote-access pathways, and subcontractors can become part of the risk surface. Even if the government or utility owns the equipment, the contractor may be responsible for how access is managed during performance.
Internet exposure is a governance failure
One of the clearest lessons from OT advisories is that internet-exposed control systems create avoidable risk. Sometimes exposure is deliberate. Sometimes it is inherited from a legacy installation. Sometimes it is created by a temporary remote-support workaround that becomes permanent.
For contractors, the governance question is simple: who approved the connection and why? If the answer is unclear, the connection should be reviewed. A contractor should not rely on “that is how it was configured when we got here.” If the contractor is maintaining the system, it should document known risks and recommended mitigations.
What this means for government contractors
Contractors supporting OT should review remote access, default credentials, network segmentation, logging, and incident escalation. They should also look at contract language. Does the statement of work assign responsibility for secure configuration? Does the customer control the network boundary? Does the contractor have authority to disable risky access? Does the subcontractor have incident-notice duties?
The answer may vary, but the discussion should happen before an incident. Contractors should not wait until a PLC manipulation event to determine whether they can collect logs, isolate a connection, or notify the customer.
Protected information can include OT details
Even where no personal information is involved, OT environments often contain sensitive information: diagrams, IP addresses, vendor configurations, facility layouts, credentials, maintenance procedures, and vulnerability information. For government work, some of that information may be CUI or otherwise contractually controlled. Contractors should handle OT documentation with the same discipline they apply to technical data and system security plans.
Next step: run a PLC and OT exposure check
Contractors supporting OT should document:
- all internet-facing OT assets;
- all remote-access methods;
- all vendors and subcontractors with access;
- authentication methods;
- default or shared credential status;
- segmentation between IT and OT networks;
- log sources and retention;
- emergency shutoff procedures; and
- customer notification paths.
If the contractor finds an exposed controller or unmanaged remote pathway, escalate it as a contract-performance and security issue, not just an IT ticket.
Sources
- Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure, AA26-097A, Cybersecurity and Infrastructure Security Agency, April 7, 2026.