When the HMI Lies: Lessons from CISA Advisory AA26-097A

The joint advisory issued on April 7, 2026, by CISAand the FBI regarding the targeting of Rockwell Automation/Allen-Bradley PLCshighlights a specific, operational vulnerability that goes beyond simpledowntime.

The core of the threat isn’t just unauthorizedaccess. The actors are reportedly manipulating project files and Human MachineInterface (HMI) displays to show "normal" operations while the actualphysical processes are being disrupted.

‍

The Problem of Digital Trust

In a typical control room environment, theoperator’s primary source of truth is the HMI. If the screen shows thatpressures, temperatures, and breaker statuses are within normal parameters, theassumption is that the grid is stable.

However, when an adversary modifies the PLC's logicor the HMI's communication, the digital representation of the asset becomes amask. This creates a "trust gap" where the perimeter defense mightshow a secure login, but the internal logic has been compromised.

‍

Moving the Source of Truth to the Wire

To address this, we have to look past the HMI andthe Windows-based applications. The only objective source of truth in a utilityenvironment is the raw network traffic at the OT layer.

By analyzing the actual packets moving between thePLC and the field devices, we can identify discrepancies that a compromised HMIwould otherwise hide. This is where ML becomes apractical necessity rather than a buzzword:

• Behavioral Baselines: Establishing what "normal" communication looks like between specific controllers.
• Anomaly Detection: Identifying unauthorized project file uploads or logic changes in real-time, even if those changes aren't reflected on the operator's console.
• Verification: Providing a secondary, independent channel to verify that what the operator sees on the screen matches the physical reality of the hardware.

‍

Navigating Global Regulatory Pressure

This technical shift toward deeper visibility isn'tjust about operational reliability; it is increasingly a requirement forstaying on the right side of regulators.

For utilities in the United States, this level ofgranular monitoring is central to meeting the evolving requirements of NERC CIP, particularly regarding incident detection and system security management.Simultaneously, for entities operating in the European Union, this approachaligns with the NIS2 Directive - the EU’s expanded cybersecurity framework - which mandates that "essential" energyproviders implement more rigorous risk management and incident reportingcapabilities.

‍

Operational Reality

The takeaway from the events of early April is thatperimeter security is no longer the finish line. As adversaries become moreadept at manipulating OT-specific protocols, our visibility must move deeperinto the stack.

If we cannot trust the screen, we must trust thedata on the wire. Continuous monitoring and ML-driven analysisare the tools that allow us to verify that "normal" actually means"safe."

‍