6 min read
Is Your Manufacturing Execution System a Security Risk?
For many manufacturers, your Manufacturing Execution System is the best investment you’ve made in years. Work orders push to the floor automatically,...
In April 2026, the FBI, CISA, the NSA, and three other federal agencies issued a joint warning that should matter to every manufacturer running a shop floor: hackers linked to Iran were actively breaking into programmable logic controllers, the devices that run machinery in plants across the country. PLC security quickly became more than some abstract IT concern over night.
The attackers weren't using an advanced exploit. They were logging into PLCs sitting wide open on the public internet, using the same software the manufacturer's own engineers use to program them, and in more than a few cases, a password nobody ever bothered to change.
For a lot of manufacturing shops, this was the first time anyone connected the words "PLC" and "cybersecurity" in the same sentence. That needs to change, and fast.
A PLC, or programmable logic controller, doesn’t get patched like a laptop, and they weren't built with security in mind. Most were designed decades ago to be reliable and fast, not to fend off hackers. That gap between what a PLC was built to do and what it's now exposed to is exactly what the April 2026 advisory was about.
In April 2026, the FBI, CISA, the NSA, the EPA, the Department of Energy, and US Cyber Command jointly confirmed that Iranian-affiliated hackers were actively exploiting internet-facing PLCs, specifically Rockwell Automation and Allen-Bradley controllers, across US critical infrastructure and manufacturing. The attacks caused real operational disruption and financial losses.
The advisory, tracked as AA26-097A, described a campaign that had been running since at least March 2026. The attackers manipulated data on HMI and SCADA displays, interfered with PLC project files, and disrupted operations at facilities in water treatment, energy, and manufacturing.
What makes this campaign worth paying attention to on a Colorado shop floor, not just a water utility, is how the attackers got in. Researchers at Censys identified over 5,000 internet-exposed Rockwell and Allen-Bradley devices worldwide, with roughly three out of every four sitting inside the United States. Nozomi Networks' field CISO told reporters that more than 3,000 Rockwell devices remain visible on the public internet right now, often because the owner doesn't realize they're exposed or doesn't think it matters.
PLCs fall into a blind spot because they're typically installed and maintained by a controls engineer or an outside integrator, not by IT. Once a machine is running, nobody circles back to check whether the controller is still secure. It just becomes part of the equipment, the same as a motor or a belt.
We see this constantly with manufacturing clients:
Most IT teams manage servers and workstations while control engineers manage machinery. PLCs sit in the middle, and in a lot of shops, nobody owns that middle ground.
The tactics behind the April 2026 campaign weren't complicated, which should be the alarming part for any manufacturers reading the news. The attackers used Rockwell's own Studio 5000 Logix Designer software, the same tool many of your engineers likely use, to connect directly to exposed controllers. They simply targeted a known authentication weakness in the software and walked in through the front door.
Once inside, they targeted specific ports tied to industrial protocols and deployed remote access tools to keep their foothold. The whole approach relies on three things being true: the PLC is reachable from the internet, its credentials are weak or default, and nobody is watching for unusual activity on that device. Those three conditions describe a huge number of shop floors right now, including plenty that have never had a single conversation about managed cybersecurity for their production equipment.
The good news is that the fixes here don't require ripping out equipment or halting a production run.
We work with manufacturers across Metro Denver and the Front Range who've spent years thinking about firewalls and email security without ever asking who can reach the PLC running their press. That gap is exactly where the April 2026 advisory should push every shop owner to look next.
If you run defense contracts on top of that, the stakes get higher. Exposed OT devices are the kind of gap that shows up fast in a CMMC compliance assessment. We build manufacturing IT services around this exact blind spot, connecting office and production networks the right way, with backups and recovery for production data built in from day one through our data protection approach.
You don't need to overhaul your shop floor to close this gap. You need someone to walk the network with you and tell you what's reachable. Reach out and we'll be happy to take a look!
6 min read
For many manufacturers, your Manufacturing Execution System is the best investment you’ve made in years. Work orders push to the floor automatically,...
5 min read
For the fifth year in a row, manufacturing absorbed more cyberattacks than any other industry on earth. According to IBM X-Force's 2026 threat report...
4 min read
Ask a shop owner what happens if their main CNC goes down for a week and you’ll get an answer before you finish the question: lost spindle hours,...