On April 7, six U.S. federal agencies (CISA, FBI, NSA, EPA, Department of Energy, and US Cyber Command) issued a joint advisory with an urgent warning that Iranian-affiliated hackers have been actively disrupting PLCs across American critical infrastructure since at least March 2026.
The targets included energy facilities, water and wastewater systems, and local government operations. All of them had their PLCs reachable from the internet, and nobody was monitoring the programs running on them.
This wasn’t malware, it was Studio 5000
This advisory is different from the dozens of ICS security warnings that come out each year. This time the attackers didn’t use sophisticated or custom malware. They used Rockwell’s own 5000 Logix Designer software to connect to internet-facing PLCs, interact with project files, and manipulate what operators saw on their HMI and SCADA displays.
The “weapon” was legitimate engineering software. The damage wasn’t done by breaking in, but by rewriting the logic that controls physical processes and changing what operators believed was happening on the floor.
The target devices were Rockwell Automation/Allen-Bradley PLCs, but the advisory also flags Siemens S7 PLCs and other device vendors. If your PLCs are reachable and your project files are unmonitored, you are in scope.
PLC project files are the new targets
A lot of OT security conversations focus on the network, but this advisory points to something that usually gets less attention: the PLC project file.
A project file is the complete specification of how your machine behaves. It contains the ladder logic that governs every automated decision, I/O configurations, safety parameters, setpoints, alarm thresholds, and every named variable in the control system.
If no one has a verified baseline of what that file is supposed to contain, there is no way to know if it was changed.
This is the nature of the current threat to U.S. infrastructure. It’s not just about keeping attackers out, but knowing, with certainty, what is running on your controllers.
90% of OT networks are flying blind
In Dragos’ 2026 OT/ICS Cybersecurity Year in Review, they estimated that only 10% of OT networks worldwide have any form of network monitoring or visibility in place. The other 90% are operating on trust, assuming that what’s running on their PLCs today is what was deployed during commissioning, that no unauthorized changes have been made, and that the logic hasn’t drifted.
Those assumptions are now attack vectors.
3 steps to take before the next advisory drops
The CISA advisory recommends standard networking hardening: disconnecting PLCs from the internet, implementing MFA, and segmenting OT from IT. But network hardening alone isn’t enough.
- Audit what’s running. Compile a current inventory of every program deployed on your PLCs. Verify you have a copy of each project file, and compare it against what is actually on the device.
- Establish a verified baseline. Store your program inventory in version-controlled, independent storage, separate from the systems it protects. That baseline becomes your reference point for everything that follows.
- Build change detection into your operations. Configure alerting so that unauthorized program modifications generate an immediate notification. The window between “something changed” and “we noticed” is the gap attackers will exploit.
The programs running on your PLCs are now an explicit target of nation-state adversaries, being studied, exfiltrated, and modified. The question for every manufacturing leader isn’t only whether your network is hardened enough. It’s whether you would know, right now, if someone had changed the logic running on your production equipment.
See how Copia helps you establish a verified baseline for your PLC programs. Request a demo.
