How PLCs Work—and Why Hackers Target Them

The Invisible Computers Running Civilization

Every time you turn on a tap, flip a light switch, or drive past a factory, there's a good chance a programmable logic controller (PLC) is quietly doing the work behind the scenes. These ruggedized industrial computers control assembly lines, water treatment plants, power substations, and oil refineries. They open valves, start motors, read sensors, and keep critical processes running around the clock—often for years without rebooting.

Yet most people have never heard of them. That obscurity is part of what makes PLCs one of the most consequential—and most vulnerable—targets in cybersecurity.

What a PLC Actually Does

A PLC is a special-purpose computer designed to survive harsh industrial environments—extreme temperatures, dust, vibration, and electrical noise that would destroy a standard laptop. First developed in the late 1960s for the automobile industry, PLCs replaced bulky relay-based control panels with compact, reprogrammable units.

The device operates in a continuous scan cycle, typically completing each loop in milliseconds. During each cycle, the PLC reads all input signals (from sensors, switches, and transmitters), executes its stored control program, and updates output devices such as motors, actuators, and alarms. This real-time loop is what keeps a water pump running at the right pressure or a conveyor belt moving at precise speed.

Engineers program PLCs using specialized languages—most commonly ladder logic, a graphical format that resembles old electrical relay diagrams. The programming standard, IEC 61131-3, also defines structured text, function blocks, and other formats. Once loaded, a PLC can run autonomously for years.

Why PLCs Are Vulnerable

PLCs were designed in an era when industrial networks were physically isolated from the internet. Security was barely a consideration—the assumption was that no outsider could reach these devices. That assumption no longer holds.

As factories and utilities embraced the Industrial Internet of Things, PLCs increasingly connect to corporate networks and even the public internet for remote monitoring and management. Many devices still use decades-old communication protocols with no encryption or authentication. Default passwords are common. Firmware updates are rare.

The result is a massive attack surface. According to cybersecurity researchers at UpGuard, thousands of PLCs remain directly exposed to the internet, often without the knowledge of the organizations that operate them.

Stuxnet: The Attack That Changed Everything

The world woke up to PLC vulnerabilities in 2010, when researchers discovered Stuxnet—a sophisticated worm widely attributed to a joint U.S.-Israeli operation. Stuxnet targeted Siemens Step 7 software used to program PLCs at Iran's Natanz nuclear facility. It silently altered the speed of uranium-enrichment centrifuges while displaying normal readings to operators. The attack infected over 200,000 computers and physically destroyed roughly 1,000 centrifuges.

Stuxnet proved that cyberattacks on industrial controllers could cause real-world physical damage—a lesson that has only grown more urgent since.

A Growing Threat

In April 2026, six U.S. federal agencies—including the FBI, CISA, and NSA—issued a joint advisory warning that Iranian-affiliated hackers had been exploiting internet-exposed Rockwell Automation PLCs across U.S. water, energy, and government facilities. The attackers used legitimate configuration software to connect to CompactLogix and Micro850 controllers, altering SCADA display data and disrupting operations.

The advisory underscores a persistent problem: many organizations still leave PLCs accessible from the internet, violating the most basic principle of industrial security—air-gapping operational technology from public networks.

How to Protect PLCs

Cybersecurity experts and agencies like CISA recommend several core defenses:

• Disconnect PLCs from the internet. Devices that control physical processes should never be directly reachable online.
• Segment networks. Separate operational technology (OT) networks from corporate IT networks using firewalls and demilitarized zones.
• Change default credentials and enable authentication where supported.
• Monitor for anomalies. Unusual configuration changes or unexpected network connections should trigger alerts.
• Update firmware regularly and apply vendor security patches.

PLCs will remain the backbone of industrial civilization for decades to come. Keeping them secure is no longer an engineering afterthought—it's a matter of national security.