In April 2026, US federal agencies issued an urgent warning: Iranian-backed hackers were actively targeting Allen-Bradley PLCs across critical infrastructure. It’s the latest in a series of escalating cyber attacks on industrial control systems, and it’s not just a US problem. With manufacturing now the most targeted sector for ransomware globally and 78% of UK manufacturers reporting cyber incidents, the threat to your shop-floor has never been more real. Here’s what managers and engineers need to know.

What happened?

On 7 April 2026, six US federal agencies, including the FBI, CISA, and the NSA, issued an urgent joint advisory. CyberAv3ngers, an Iranian group linked to the IRGC had been actively targeting internet-connected Allen-Bradley PLCs manufactured by Rockwell Automation across multiple critical infrastructure sectors.

The attacks weren’t theoretical. They caused real operational disruption and financial loss. The hackers manipulated data on HMI and SCADA displays, interfered with project files, and disrupted PLC functions at facilities across the United States, including water treatment plants, energy providers, and manufacturing operations.

The targeted devices included CompactLogix and Micro850 PLCs. But the advisory didn’t stop there. It warned that other PLC brands could also be at risk, including Siemens S7, a platform widely used across Europe and Asia.

According to internet monitoring firm Censys, over 5,200 Allen-Bradley devices were found to be exposed to the public internet globally, with nearly 75% of them located in the United States. A significant number of those were running on cellular modems in the field, with no firewall, no VPN, and no authentication standing between them and the outside world.

This isn’t new.

The group behind the April 2026 attacks, has been building its capabilities for years. In late 2023, the same group compromised at least 75 Unitronics PLCs across the US, UK, and Ireland by exploiting something as basic as factory-default passwords on internet-exposed devices.

One of the most high-profile victims was the Municipal Water Authority of Aliquippa in Pennsylvania. The hackers took control of a booster station that monitors and regulates water pressure for local communities. In County Mayo, Ireland, a separate attack left residents without running water for several days.

By mid-2024, the group had developed custom malware designed specifically for industrial control systems. By early 2026, they had moved on to Rockwell Automation’s Logix controllers, exploiting a critical authentication bypass vulnerability.

The pattern is clear. These threat actors are getting more sophisticated, more targeted, and more destructive with every campaign. And they are specifically going after the PLCs that keep your production lines, utilities, and infrastructure running.

Manufacturing is now the number one target

It’s not just state-sponsored groups that manufacturers need to worry about. According to Check Point’s Manufacturing Threat Landscape 2025 report, cyber attacks against the manufacturing sector rose 56% in 2025, jumping from 937 recorded incidents in 2024 to 1,466. The UK alone saw 65 confirmed ransomware attacks against manufacturers last year.

The reasoning behind this surge is straightforward. Attackers know that downtime on a production line costs serious money, and they know that many manufacturers will pay a ransom rather than lose days or weeks of output.

According to Siemens’ The True Cost of Downtime 2024 report, unscheduled downtime drains 11% of annual revenues from the world’s 500 biggest companies, totalling $1.4 trillion globally. A separate study by ABB’s Value of Reliability Report (2024) found that two-thirds of companies experience unplanned downtime at least once per month, at an average cost of $125,000 per hour.

Now imagine that downtime being caused not by a mechanical failure or a software glitch, but by a deliberate, targeted cyber attack on the PLCs that control your lines.

The wake-up call

UK manufacturers got their own stark reminder in September 2025, when Jaguar Land Rover was hit by a cyber attack that severely disrupted production at its Halewood, Solihull and Wolverhampton plants for 3 weeks. The attack reportedly targeted the boundary between JLR’s corporate IT network and its operational technology (OT) network, the systems that control the robots and machinery on the factory floor.

To prevent the malware from crossing into the OT environment and potentially damaging physical equipment, JLR had to isolate systems and shut down production. Staff were sent home. More than 5,000 businesses across JLR’s supply chain were affected. Full recovery wasn’t expected until January 2026, and the estimated financial impact was approx. £1.9bn according to the Cyber Monitoring Centre.

For UK manufacturers, the JLR incident made one thing very clear: a cyber attack doesn’t just steal data. It stops production. And when production stops, the costs cascade through every part of the business.

Why PLCs are uniquely vulnerable

The core problem is that many PLCs, SCADA systems, and industrial IoT devices were never designed with cyber security in mind. They were built to be reliable, durable, and accessible. Security was an afterthought, if it was considered at all.

In Europe, research suggests that 80% of manufacturers continue to operate critical OT systems with known vulnerabilities. Many of these systems run on legacy software that hasn’t been updated in years. Default passwords remain unchanged. Remote access connections, often set up for convenience or for external contractors, are left open and unmonitored.

The April 2026 Allen-Bradley attacks exploited exactly this kind of weakness. The hackers didn’t need a sophisticated zero-day exploit. They used legitimate Rockwell Automation software, Studio 5000 Logix Designer, to connect to PLCs that were sitting on the open internet with no authentication protecting them. They walked through the front door.

The skills gap makes it worse

There’s another layer to this problem, and it’s one that doesn’t get enough attention. The UK’s engineering skills crisis is making manufacturers more vulnerable to cyber threats, not less.

According to Make UK’s Industrial Strategy Skills Commission Report (2025), there are 55,000 long-term unfilled vacancies in UK manufacturing, costing the economy £6 billion in lost output every year. One in five UK manufacturing workers is now over 55, and 81% of UK managers say most technical expertise sits with older employees, making their departure a critical risk (Flip / Workplace Intelligence, 2025).

When there aren’t enough trained engineers on-site who truly understand the PLCs they’re responsible for, how those systems communicate, what normal operation looks like, and what the warning signs of interference are, the risk of a cyber incident going undetected or being mishandled goes up significantly.

An engineer who understands their PLC inside out is far more likely to notice when something doesn’t look right on the HMI, when data is being displayed that doesn’t match what the line is doing, or when a project file has been altered. That kind of awareness can’t be replaced by a firewall alone.

“We’ll give you the skills you need to take full ownership of the equipment you’re responsible for.”

Nathan Ramsahai, Tutor, Scantime

The Stuxnet lesson we still haven’t learned

The idea that a PLC could be weaponised isn’t new. It was proven back in 2010, when the Stuxnet worm, widely attributed to US and Israeli intelligence, targeted Siemens STEP7 software and the PLCs controlling uranium enrichment centrifuges at Iran’s Natanz nuclear facility. The worm caused nearly 1,000 centrifuges to destroy themselves by subtly altering their operating speeds while displaying normal readings to the operators.

Stuxnet was the world’s first known cyber weapon designed to cause physical damage through a PLC. It demonstrated, over 15 years ago, that anyone with the right knowledge could manipulate industrial control systems to cause real-world harm. The operators at Natanz had no idea anything was wrong because the SCADA displays were telling them everything was fine.

That is exactly the kind of manipulation the hackers carried out in April 2026, altering data on HMI and SCADA displays so that operators couldn’t trust what they were seeing. The technology has changed, but the tactic is the same: compromise the PLC, manipulate the data, and the people on the shop-floor don’t know there’s a problem until it’s too late.

What should you be doing?

If you’re a plant manager, engineering manager, or anyone responsible for the operational technology on your shop-floor, there are practical steps you can take now to reduce your exposure.

Start by auditing every PLC on your network. If any of them are connected directly to the internet without a firewall, VPN, or authentication gateway, you may want to rethink this. The April 2026 advisory was explicit: internet-exposed PLCs with no access controls are the primary attack vector.

Change every default password. It sounds basic, but the 2023 Unitronics attacks succeeded because PLCs were still running factory-default credentials. If your devices haven’t had their passwords changed since installation, they are exposed.

Implement multi-factor authentication for any remote access to your OT environment. If your team or your contractors are using VNC, TeamViewer, or other remote tools to access PLCs, make sure those connections are secured, monitored, and time-limited.

Segment your IT and OT networks. The JLR attack showed what happens when malware can move from the corporate network towards the shop-floor. A properly segmented network, with dedicated firewalls between IT and OT, limits how far an attack can spread.

And perhaps most importantly, make sure the engineers on your shop-floor have the training and the confidence to understand the systems they’re working with. Can your engineers read your PLC programs and spot unexpected logic? If not, that’s a vulnerability, an engineer who can read a PLC program, who understands how the hardware communicates, who knows what the HMI should be showing, that engineer is one of your strongest lines of defence.

Cyber security is a shop-floor issue

For too long, cyber security in manufacturing has been treated as an IT department problem. Something that sits with the network team, not the engineering team. The reality, as these attacks keep proving, is that cyber security is an operational issue. It’s a production issue. It’s a shop-floor issue.

When hackers target your PLCs, they’re not stealing emails or customer databases. They’re going after the systems that control your physical processes: your production lines, your water treatment, your power generation. The consequences aren’t measured in leaked records. They’re measured in lost output, damaged equipment, supply chain disruption, and in the worst cases, risk to human safety.

According to Cyble’s Annual Threat Landscape Report 2025, ICS vulnerability disclosures nearly doubled from 2024, with 2,451 vulnerabilities identified across 152 vendors. The Dragos 2026 OT/ICS Cybersecurity Report tracked 26 active OT threat groups globally, with manufacturing accounting for more than two-thirds of all victims. And ESET research published in April 2026 found that 78% of UK manufacturers had experienced a cyber incident.

The threat is real, it’s growing, and it’s specifically targeting the PLCs and SCADA systems that your shop-floor depends on.

“When everyone’s staring at you, it’s not the right time to learn.”

Nathan Ramsahai

Invest in your people, not just your firewalls

Firewalls, network segmentation, and access controls are essential. But they’re only part of the picture. The engineers on your shop-floor are the last line of defence, the people who will notice when something isn’t right, who will respond when a line goes down unexpectedly, and who will need to determine whether it’s a fault or something more sinister.

If your team doesn’t have the skills and confidence to understand the PLCs they’re responsible for, all the technology in the world won’t protect you from the human element that these attackers are exploiting.

92% of manufacturing SMEs in England anticipate some kind of skills gap within their business (Skills Horizon Barometer, 2025). 78% of manufacturers are already experiencing productivity losses directly attributed to those gaps (Make UK, 2025). Closing the skills gap isn’t just about improving efficiency or reducing downtime. In 2026, it’s about making your operation harder to attack.

Frequently asked questions

What was the 2026 Allen-Bradley PLC cyber attack?

In April 2026, six US federal agencies issued a joint advisory warning that Iranian-affiliated hackers had been targeting internet-connected Allen-Bradley PLCs manufactured by Rockwell Automation. The attacks caused operational disruption and financial loss across multiple critical infrastructure sectors by manipulating HMI and SCADA data and interfering with PLC project files.

Why are PLCs vulnerable to cyber attacks?

Many PLCs, SCADA systems, and industrial IoT devices were never designed with cyber security in mind. Common vulnerabilities include factory-default passwords, direct internet exposure without firewalls or VPNs, legacy software that hasn’t been updated, and unsecured remote access connections.

How can manufacturers protect their PLCs from cyber attacks?

Key steps include disconnecting PLCs from direct internet access, changing all default passwords, implementing multi-factor authentication for remote OT access, segmenting IT and OT networks, and ensuring engineers have the training to understand and monitor the PLC systems they are responsible for.