If you operate a water utility, an energy facility, or any plant with a Rockwell Automation/Allen-Bradley PLC reachable from the public internet, the joint advisory issued in April 2026 is not optional reading. The Cybersecurity and Infrastructure Security Agency (CISA), FBI, NSA, EPA, Department of Energy, and US Cyber Command's Cyber National Mission Force documented an active, ongoing campaign by Iranian-affiliated advanced persistent threat actors targeting programmable logic controllers in US critical infrastructure.

Disruptions have already occurred. Project files have been manipulated, HMI and SCADA displays have been altered, and the financial impact is real. The most striking finding from the follow-up reporting by internet-monitoring firm Censys: of more than 5,000 exposed Allen-Bradley PLCs identified globally, roughly 3,900 are in the United States — about 74.6% of the global total. That concentration tracks with Rockwell's dominant North American market share, and it means US operators are bearing a disproportionate share of the targeting risk.

This article walks through what the advisory actually says, why this is structural rather than incidental, and how cybersecurity-forward PLCs from WAGO and Turck approach the problem differently. We'll point to specific controllers in the Automation Distribution catalog that are worth evaluating if you're rebuilding an OT architecture with security in mind — including WAGO's newest-generation PFC300 controller and the ctrlX OS-based Edge Controller 400, both of which represent clean-sheet redesigns that take cybersecurity into account from the silicon up.

What the CISA AA26-097A Advisory Actually Says

The April 2026 joint advisory describes activity observed since at least March 2026 and attributes it to Iranian-affiliated APT actors operating in coordination with the IRGC Cyber Electronic Command. The campaign is a continuation of patterns first publicly attributed to the group known as CyberAv3ngers (also tracked as Shahid Kaveh Group, Hydro Kitten, Storm-0784, APT Iran, Bauxite, Soldiers of Solomon, UNC5691). That same group was responsible for the November 2023 attack on the Aliquippa, PA municipal water authority, where Israeli-made Unitronics PLCs were defaced after the Israel-Hamas war began.

Key technical findings from the advisory:

The mechanism of disruption is not subtle. Once the PLC is reachable and the authentication is bypassed, the actors extract project files, manipulate logic on HMI and SCADA displays, and in some cases push attacker-supplied content directly to operator screens. There's nothing exotic about the exploitation path — it works because PLCs that should never have been on the public internet were left exposed, often with default credentials or unpatched firmware containing a four-year-old CVE.

Why This Is Structural, Not Incidental

It's tempting to read the advisory as a Rockwell-specific problem. It isn't. It's a problem with how an entire generation of PLCs was designed: assume the OT network is air-gapped, assume the operator will never expose the device, and bolt security on later through firmware patches and customer hardening guides.

That assumption broke about a decade ago, and it keeps breaking in increasingly costly ways. Every vendor with a large installed base of legacy controllers shares the architectural debt. The question isn't whether your PLC vendor can be exploited — given enough exposure and time, any of them can. The question is what the controller's design posture is around cybersecurity, and how much defensive work the vendor has shouldered versus how much they've left for you to do at deployment.

That's the lens worth applying to PLC selection going forward. Three concrete signals matter:

1. IEC 62443 certification. The international standard for industrial automation cybersecurity. IEC 62443-4-1 certifies the vendor's secure development lifecycle. IEC 62443-4-2 certifies the device itself, with Security Levels 1 through 4. SL2 is the meaningful threshold for most commercial OT environments.
2. Default network posture. Does the controller default to no exposed services, or does it ship with web servers, FTP, Telnet, and remote configuration enabled out of the box? The Censys data on the current campaign noted that hundreds of exposed devices were reachable via unencrypted Telnet — a protocol that has no business on internet-facing OT.
3. Firmware update model. Are security patches delivered through a managed channel with cryptographic signing, or does the operator have to download them manually and pray? Does the vendor publish a Product Security Incident Response (PSIRT) advisory feed?

CISA's Mitigation Checklist (Vendor-Neutral)

Before discussing alternative controllers, let's be clear: changing PLC brands does not make a poorly-architected OT network secure. CISA's mitigation guidance applies regardless of which controller you run.

If your facility runs internet-exposed PLCs of any brand, those mitigations come first. What follows is the second-order question: when you do replace, expand, or specify new controllers, what does a cybersecurity-forward selection look like?

WAGO PLCs: IEC 62443 Development Process and a Cybersecurity-Aware Product Line

WAGO's controller development process is certified under IEC 62443-4-1, meaning the secure development lifecycle is third-party audited from requirements through release. Across the PFC and Compact Controller families, security features are built into the firmware: encrypted communications via TLS, native OpenVPN and IPsec support, integrated firewalls with whitelist/blacklist and MAC filter rules, configurable user roles with role-based access control, and disable-by-default web services. Combined with WAGO's CODESYS V3.5-based engineering environment, the platform gives you fine-grained control over which services are exposed on which interface.

The lineup is segmented into four families. Use the framing below to pick the right starting point, then drill in:

PFC300 — The Next-Generation Cybersecurity-Forward Controller

The WAGO 750-8302 PFC300 Controller is WAGO's newest-generation flagship compact PLC and the controller to specify when you're starting from a blank sheet on a 2026-or-later install. It runs a Dual Core ARM Cortex-A53 processor at 1.4 GHz with 2 GB of LPDDR4 RAM and 32 GB of eMMC flash on a real-time Linux OS with the PREEMPT_RT patch. Roughly four times the CPU performance of the PFC200 G2 it succeeds, four times the RAM, and eight times the internal flash — with native CODESYS V3.5 (multi-core scheduling included) and gigabit Ethernet on both ports rather than 100 Mbit.

From a cybersecurity-forward selection standpoint, three things about the PFC300 matter:

1. Clean-sheet platform. The PFC300 is not a refresh — it's a new hardware platform with a current-generation Linux base, current crypto libraries, and a current TLS stack. Older controllers carry forward toolchain and library decisions made years ago; the PFC300 starts from where 2025 left off.
2. Network segregation by default. The two RJ-45 ports default to a single bridged interface for line topology, but through the Web-Based Management UI you can split them into two independent bridges with separate IP addresses — putting one port on the OT control network and one on the IT/management network with no extra hardware.
3. Hazardous-area and marine approvals. ATEX (II 3 G Ex ec IIC T4 Gc), IECEx, plus marine ABS and DNV — the PFC300 covers Zone 2 chemical/oil-and-gas, refinery, and shipboard installations that the PFC200 G2 doesn't address.

The PFC300 directly accepts the full WAGO 750/753 Series I/O catalog (up to 250 modules per node), so it's a drop-in upgrade path for engineers already standardized on the WAGO I/O System. The CODESYS V3.5 application development tooling is the same as PFC200 G2 (e!RUNTIME), and WAGO publishes a migration guide for moving e!COCKPIT projects from PFC200 G2 to native CODESYS V3.5 on the PFC300.

PFC200 G2 — Current-Shipping Workhorse with the Widest Variant Selection

The PFC200 G2 family remains WAGO's most broadly deployed industrial controller and the right specification for the bulk of plant-floor applications today. The platform supports CODESYS V3.5 from Firmware 23 forward (with WAGO-I/O-PRO V2.3 and e!COCKPIT supported up to Firmware 22 for backward compatibility) and shares the same TLS, OpenVPN, IPsec, and firewall feature set across all variants. The variant selection is what makes PFC200 G2 the workhorse — pick the model based on your protocol mix, environmental rating, and connectivity needs:

• WAGO 750-8212 PFC200 G2 — 2× Ethernet, RS-232/RS-485, the workhorse model for plant-floor PLC duty.
• WAGO 750-8210 PFC200 G2 — 4× Ethernet for network segmentation, where you want different physical Ethernet segments for control, IT, and engineering access without an external switch.
• WAGO 750-8213 PFC200 G2 — 2× Ethernet plus CAN/CANopen.
• WAGO 750-8214 PFC200 G2 — 2× Ethernet, RS-232/RS-485, plus CAN/CANopen.
• WAGO 750-8216/025-000 PFC200 G2 — extended-temperature with PROFIBUS slave for retrofit applications integrating with legacy PROFIBUS networks.
• WAGO 750-8212/000-100 PFC200 G2 with BACnet/IP — 2× Ethernet, RS-232/RS-485, plus native BACnet/IP for building automation projects that need a CODESYS V3-based modern controller.

For applications in unconditioned environments — outdoor enclosures, water/wastewater pump stations, remote energy sites — the PFC200 XTR variants extend the rating to -40°C through +70°C with vibration and EMC tolerance suited to substation and rail environments. The WAGO 750-8210/040-000 PFC200 G2 XTR with 4× Ethernet and the WAGO 750-8211/040-000 PFC200 G2 XTR with fiber-optic 100Base-FX are the SCADA-grade options for sites where copper Ethernet runs aren't viable.

For sites without wired backhaul, the WAGO 750-8217/600-000 PFC200 G2 with integrated 4G LTE cellular eliminates the need for a separate cellular gateway entirely. The cellular link is part of the PLC's managed firmware, which means VPN and certificate handling are integrated rather than bolted on — one fewer device to patch, one fewer vendor's security posture to audit.

Compact Controller 100 (CC100) — Integrated I/O for Machine Builders

The WAGO 751-9301 Compact Controller 100 is a tightly-integrated PLC for machine builders and small automation cells. It includes 8 digital inputs, 4 digital outputs, 2 analog inputs, 2 analog outputs, 2 RTD inputs, dual Ethernet with integrated switch, RS-485, microSD card slot, and CODESYS V3.5 programming. The integrated I/O removes a common attack surface — every additional bus coupler or remote I/O block is another network device that has to be secured. The WAGO 751-9401 adds CAN/CANopen for applications that need it, and there's also a CC100 Starter Kit that bundles the controller with a 24VDC power supply and end-stop accessories for evaluation deployments.

Edge Controller 400 — Open Automation with ctrlX OS

The WAGO 752-8400 Edge Controller 400 is a different animal from the PFC family. Rather than a fixed-runtime PLC, it's an open Linux-based automation platform built on Bosch Rexroth's ctrlX OS, configured by installing apps from the ctrlX OS App Zone — IEC 61131-3 PLC, EtherCAT master, motion, visualization, databases, MQTT brokers, OPC UA, Python, Node-RED, custom containers, and dozens more.

The hardware is a Xilinx Zynq UltraScale+ SoC with a 64-bit quad-core ARM Cortex-A53, 2 GB of DRAM, 4 GB of eMMC flash, and three configurable Gigabit Ethernet ports — one of which is TSN-capable (Time-Sensitive Networking) for OPC UA over TSN or as a second control network. There's also a USB-C 2.0 host port and a microSD slot.

From a cybersecurity-forward standpoint, the Edge Controller 400's defining traits are Secure Boot (only signed Bosch Rexroth runtime images can boot by default), HTTPS for the web interface, role-based user access, and fully isolated app execution — apps run in containerized environments with permissions managed centrally. The underlying ctrlX CORE hardware platform is designed against IEC 62443 industrial cybersecurity standards. (One important caveat: the factory-default password is wago/wago — change it on first login. The default is widely known and provides no real protection in production environments.)

Where this device shines is OT-IT convergence: when you need an edge node that can pull data from existing PLCs, drives, and sensors; run pre-processing or ML inference locally; and publish to AWS IoT, Azure IoT, or your on-prem MQTT broker — without putting an unmanaged Windows IPC on the OT network. The Edge Controller 400 also functions as a complete PLC plus motion controller plus HMI plus database plus IIoT gateway in a single 42 mm DIN-rail housing when the appropriate apps are installed, replacing what used to be three or four separate devices with one. For more compute-intensive edge applications, Automation Distribution also carries the Intel-based WAGO 752-9400 Edge Computer (4 GB RAM / 64 GB flash) and 752-9401 Edge Computer (8 GB RAM / 64 GB flash) — both with HDMI, DisplayPort, and quad USB for IPC-class workloads at the edge.

Turck PLCs: Block I/O Architecture, IP67 Field-Mount, and IoT Gateways

Turck's PLC offerings come at the cybersecurity question from a different angle: they're built on CODESYS V3 (the same engineering environment as WAGO's PFC line, which simplifies skill development for integrators standardizing on a multi-vendor toolchain) and they emphasize architectures that minimize attack surface — either through field-mount block I/O instead of centralized cabinets full of remote I/O, or through purpose-built DIN-rail IoT gateway PLCs that consolidate edge connectivity into the controller itself rather than bolting on a separate gateway device.

The Turck TBEN-PLC and IP67 Controllers category covers the full lineup. Three product families are worth evaluating in detail.

Turck TBEN-L Compact PLCs (IP67 Field-Mount)

The TBEN-L family is Turck's IP67/IP69K-rated block PLC line. These controllers mount directly on the machine — no enclosure required — and run CODESYS V3 with built-in support for PROFINET controller/device, EtherNet/IP scanner/device, EtherCAT master, Modbus TCP master/slave, Modbus RTU, CANopen, and SAE J1939. They're rated for ATEX Zone 2/22, fully potted electronics, and shock/vibration tested. Each unit includes 8 universal digital I/O channels with per-port input and output diagnostics.

From a cybersecurity standpoint, the architectural argument is: a field-mount PLC running PROFINET to a few local sensors is much easier to isolate than a control cabinet PLC handling 200 I/O points across a Layer 2 network. The blast radius of a compromise is smaller, and the network topology that makes the most sense for IP67 field-mount devices — point-to-point or daisy-chain Ethernet — is also the topology that's easiest to segment.

• Turck TBEN-L5-PLC-10 — 5-pole power, CODESYS V3, base configuration.
• Turck TBEN-L4-PLC-10 — 4-pole power, CODESYS V3, base configuration.
• Turck TBEN-L5-PLC-11 — 5-pole power version with included CODESYS WebVisu license for browser-based HMI on the controller itself.
• Turck TBEN-L4-PLC-11 — 4-pole power version with included WebVisu license.

Turck TX700 DIN-Rail PLCs and IoT Gateways

The TX700-series IoT gateway PLCs are headless DIN-rail-mount controllers — no integrated touchscreen — designed specifically for the role of "PLC plus edge IoT gateway in one device." They run CODESYS V3 with WebVisu (so the operator interface lives on a separate display or thin client, accessible over the network), support PROFINET, EtherNet/IP, Modbus TCP, Modbus RTU, CANopen, SAE J1939, and EtherCAT as a master, and offer three RJ45 Ethernet ports plus RS-232/RS-485/RS-422, two USB host ports, and an SD card slot.

The cybersecurity argument for this product family is consolidation. Instead of running a separate IoT gateway device alongside your PLC — adding another network endpoint, another firmware to patch, another set of credentials to manage, and another potential exposure point — the gateway and the PLC are the same hardware. Three performance tiers cover the cost/capability range:

• Turck TX700S-P3WV01 — single-core ARM Cortex-A9, entry-level price point for smaller automation cells where you still want the integrated PLC + gateway architecture.
• Turck TX700D-P3WV01 — dual-core ARM Cortex-A9, mid-tier for typical machine and process line applications.
• Turck TX700Q-P3WV01 — quad-core ARM Cortex-A9, 2 GB RAM, 8 GB flash, top-tier for compute-intensive edge analytics, complex multi-protocol fieldbus master applications, and IIoT data aggregation workloads.

Turck TX800 Quad-Core IoT Gateway PLCs

The TX800 IoT gateway PLCs are Turck's newest cabinet-mount controllers — the next-generation step up from the TX700-series. They share the headless DIN-rail-mount design philosophy but with updated quad-core hardware and improved gateway capabilities. Two models cover the lineup:

• Turck TX800M-P3WV01 — mid-range quad-core IoT gateway PLC.
• Turck TX800L-P3WV01 — top-tier quad-core IoT gateway PLC for higher-performance edge applications.

For cabinet installs where the operator interface is a separate panel HMI, web browser, or remote thin client — exactly the architecture that segments operator access from PLC logic, which is one of the defensive postures CISA recommends — the TX700 and TX800 IoT gateway PLCs are a cleaner fit than buying separate PLC and gateway devices.

A Practical Selection Framework

If you're evaluating a controller swap or specifying a new install, five buyer profiles map cleanly to the catalog:

Frequently Asked Questions

Does CISA AA26-097A only affect Allen-Bradley PLCs?

No. The advisory specifically calls out Rockwell Automation/Allen-Bradley as the primary observed target, but it explicitly states that other vendors may also be at risk and notes that the actors are also targeting Siemens S7 PLCs. Any internet-exposed PLC with weak authentication or unpatched firmware is a candidate target.

Will switching PLC brands make my OT network secure?

No. Cybersecurity is an architectural property, not a product feature. Changing PLC vendors without addressing internet exposure, segmentation, MFA on remote access, and patch management leaves you in the same position as before. Brand selection matters for the development-process and default-posture reasons described above, but it's a downstream factor — implement the CISA mitigations first.

What is IEC 62443 and why does it matter for PLC selection?

IEC 62443 is the international standard for industrial automation and control system cybersecurity. The 4-1 sub-standard certifies the vendor's secure development lifecycle (how they build the product). The 4-2 sub-standard certifies the product itself, with Security Levels 1 through 4 representing increasing levels of defense against motivated attackers. SL2 is generally regarded as the meaningful threshold for commercial OT environments. WAGO's controller development is certified to IEC 62443-4-1.

What's the difference between the PFC300 and the PFC200?

The PFC300 is a generational redesign, not a refresh. Compared to the PFC200 G2 (e.g., 750-8212), the PFC300 offers roughly 4× the CPU performance (dual-core 1.4 GHz vs. single-core 1.0 GHz), 4× the RAM (2 GB vs. 512 MB), 8× the internal flash (32 GB vs. 4 GB), gigabit instead of 100 Mbit Ethernet, native CODESYS V3.5, a USB-C service port, and adds ATEX/IECEx Zone 2 plus marine ABS/DNV approvals. Operating temperature is also extended to -25°C on the low end. PFC200 G2 remains current and is the right specification for most applications today; PFC300 is the right specification for new builds where the longest-lived platform is the priority.

What's the difference between the PFC controllers and the Edge Controller 400?

The PFC family (PFC100, PFC200 G2, PFC300) runs CODESYS V3.5 with a fixed runtime and built-in protocol stack — you program the PLC and use its native fieldbuses, with deterministic real-time control of WAGO 750/753 I/O modules. The Edge Controller 400 runs ctrlX OS, a Linux-based open platform where you install apps to add functionality. PFC controllers are best for traditional, deterministic PLC control with WAGO I/O. The Edge Controller 400 is best when you need flexible IIoT/edge functions plus optional control logic, or when you want to consolidate PLC plus edge PC plus gateway into one device.

Can WAGO and Turck PLCs replace Allen-Bradley controllers in existing applications?

In most plant-floor and process applications, yes — both run CODESYS V3, which is a different engineering environment than Studio 5000, so the migration cost is in the program rewrite rather than in hardware compatibility. Communication protocols are broadly compatible: both vendors support EtherNet/IP, Modbus TCP, PROFINET, and the major industrial Ethernet standards. For ladder-logic-heavy programs, CODESYS supports IEC 61131-3 ladder diagram, function block diagram, structured text, instruction list, and sequential function chart, so the logic translates conceptually even if the syntax differs.

Where do I find the actual indicators of compromise from the advisory?

The full CISA AA26-097A advisory, including IP addresses observed in the campaign, MITRE ATT&CK technique mappings, and complete mitigation guidance, is published at the CISA website. Operators with affected Rockwell devices should also review Rockwell's previously issued guidance on CVE-2021-22681 and the related authentication bypass vulnerabilities.

Talk to Automation Distribution

Automation Distribution is an authorized distributor of WAGO and Turck, with technical support, application engineering, and stock for both lines. If you're evaluating a controller migration in response to the CISA advisory or building a cybersecurity-forward OT architecture from the ground up — including evaluation of the newest-generation WAGO PFC300 and Edge Controller 400 platforms — we can help you scope the controller selection, communication protocol, environmental rating, and integration path.

Call 1-888-600-3080 or browse the WAGO Controllers catalog and Turck PLC catalog.