A PLC (Programmable Logic Controller), also known as an industrial programmable controller or automated controller, is a hardened computer designed to control machines, production lines, or industrial processes in real-time. It is the brain of operations: it receives data from sensors, executes programmed control logic, and sends commands to actuators (motors, valves, conveyors, etc.).

Where Are PLCs Found? PLCs are everywhere in industry: automotive assembly lines, food & beverage packaging systems, power plants, water treatment facilities, refineries, machine tools, elevators, HVAC systems, and beyond.

PLC Characteristics:

  • Real-time: Sub-millisecond response, zero-latency tolerance
  • Harsh environments: Extreme temperatures, vibrations, dust exposure
  • Longevity: 15–30 year lifespan, often without software updates
  • Specialized protocols: Modbus, Profinet, EtherNet/IP, S7comm (Siemens), varies by manufacturer

Why Are PLCs Vulnerable?

  1. Designed Without Cybersecurity: No authentication, no encryption, firmware modifiable without control
  2. Unpatachable Legacy Systems: Updating them risks disrupting production—most companies accept the cyber risk to avoid operational disruption
  3. Growing Connectivity: Once air-gapped, PLCs are now increasingly connected to IT networks for supervisory control, remote maintenance, and Industrial IoT
  4. Publicly Documented Vulnerabilities: Protocols and known exploits are widely accessible to attackers

Concrete Cyber Risks:

  • Logic Manipulation: Attackers can rewrite PLC programs to alter machine behavior (e.g., Stuxnet)
  • Abrupt Shutdown: Forced shutdown commands, configuration destruction
  • Industrial Espionage: Theft of proprietary logic and production recipes/formulas
  • Physical Attacks: Malicious commands causing overheating, overpressure, or mechanical collision

How to Secure PLCs? Patching impossible? Compensate with strategy: Strict network segmentation (Purdue Model), behavioral communication monitoring, legitimate command whitelisting, restricted and audited access. Defense must be external and non-intrusive—never compromising real-time operations.