Air-gapped industrial networks are assumed to be impenetrable because they are disconnected from the Internet and even from corporate IT networks. However, there are multiple ways that attackers can deploy malware to an air-gapped network, including compromising vendor update mechanisms or infecting USB drives or laptops of third-party contractors who connect directly to the air-gapped network for maintenance purposes. In this talk, we cover the following scenario: An attacker compromises the air-gapped network with autonomous, self-directed malware that performs reconnaissance to discover the network topology, the specific types of industrial devices connected to it (as with the CrashOverride malware used in the 2016 Ukrainian grid attack), and perhaps sensitive IP such as secret formulas and nuclear blueprints. Once the reconnaissance information has been collected, how do you exfiltrate the data so it can used to plan and mount physical attacks? Previous researchers have shown how to exfiltrate data from air-gapped networks using RF signals emitted from PCs, but persistent PC-based malware has a high probability of being detected. However, Programmable Logic Controllers (PLCs) don't use anti-malware programs because they have limited CPU/memory and run embedded real-time operating systems. As a result, they're ideal targets for compromise using malicious ladder logic (the code used in PLCs). We'll explain how to inject specially-crafted ladder logic code into a Siemens S7-1200 PLC. The code uses memory copy operations to generate frequency-modulated RF signals slightly below the AM band (340kHz-420kHz), with the modulation representing encoded reconnaissance data. The signal can then be picked up by a nearby antenna and decoded using a low-cost Software-Defined Radio (SDR) and a PC. The receiving equipment can be located just outside the facility or even mounted on a drone flying overhead. Finally, we'll show a live demo and discuss various ways to defend against this type of attack.