Control systems rely on accurate sensor measurements to safely regulate physical processes. In False Data Injection (FDI) attacks, adversaries inject forged sensor measurements into a control system in hopes of misguiding control algorithms into taking dangerous actions. Traditional FDI attacks mostly require adversaries to know the full system topology, i.e., hundreds or thousands of lines and buses, while having unpredictable consequences. In this paper, we present a new class of FDI attacks directly against individual Programmable Logic Controllers (PLCs), which are ubiquitous in power generation and distribution. Our attack allows the adversary to have only partial information about the victim subsystem, and produces a predictable malicious result. Our attack tool analyzes an I/O trace of the compromised PLCs to produce a set of inputs to achieve the desired PLC outputs, i.e., the system behavior. It proceeds in two steps. First, our tool constructs a model of the PLC's internal logic from the I/O traces. Second, it searches for a set of inputs that cause the model to calculate the desired malicious behavior. We evaluate our tool against a set of representative control systems and show that it is a practical threat against insecure sensor configurations.