Aside from an allen bradley manual, not really sure on what to read from the hardware side. However, you might want to search on Embedded Device Hacking or Firmware Hacking.
Just reading some of the spec on CIP, (couldnt find an RFC looks to be a manufacturer created protocol?) two things jump out:
-Transfer of basic I/O data via User Datagram Protocol (UDP)-based implicit messaging
-Uploading and downloading of parameters, setpoints, programs and recipes via TCP (i.e., explicit messaging.)
Obvious UDP security issues with the first bullet, spoofing etc.
The second bullet is very interesting. I suspect if you fiddled with the values in those packets you might be able to get the PLCs to crash, which might mean exploitation is possible. I doubt they have much bounds checking implemented, especially if they are old. It would seem, the most malicious of intent would want to exploit this because success equals changing values or device compromise. I'm totally speculating on this attack vector, but it might be worth a look.
The hardest part would be debugging the crash. It's not like you could just open Immunity and debug the crashes. This part is out of my league.
Looks like there has already been some work done here: http://www.digitalbond.com/tools/baseca ... t-modules/http://www.digitalbond.com/tools/baseca ... trollogix/