Airgapping via PLC

CyberX demonstrated how to inject specially-crafted ladder logic code into a Siemens S7-1200 PLC. The code uses memory copy operations to generate frequency-modulated RF signals slightly below the AM band (340kHz-420kHz), with the modulation representing encoded data.The emitted RF signals are a byproduct of repeatedly writing to PLC memory in a specific way.Once transmitted the signal can be picked up by a nearby antenna before been decoded using a low-cost Software-Defined Radio (SDR) and a PC. “The receiving equipment can be located just outside the facility or even mounted on a drone flying overhead,” according to CyberX.

Source: Why bother cracking PCs? Spot o’ malware on PLCs… Done. Industrial control network pwned • The Register