Attack
Observed
Shodan scan found ~6,000 exposed Rockwell devices — a ready-made target list.
Observed
CVE-2021-22681 exploited — shared key extracted, no credentials needed. No patch exists.
Observed
Attacker used Studio 5000 — the legitimate tool — indistinguishable from authorized maintenance.
Observed
Dropbear SSH deployed as arbitrary binary — persistent backdoor, survives reboots.
Observed
Operators watched falsified HMI readings while physical process was manipulated.
TARA
Predicted
"Internet-Exposed PLC with No Authentication Boundary" — asset assumes air-gap that doesn't exist.
D5Predicted
"Extractable shared cryptographic key enables unauthenticated workstation spoofing."
D1Predicted
"Proprietary engineering tool connection indistinguishable from adversary session."
D4Predicted
"Open execution environment allows deployment of unauthorized persistent access tools."
D7Predicted
"PLC owns display values with no independent validation — falsified data reaches operators unchecked."
D6