4 min read

PLC Security: The Hidden Vulnerability on Every Shop Floor

PLC Security: The Hidden Vulnerability on Every Shop Floor

In April 2026, the FBI, CISA, the NSA, and three other federal agencies issued a joint warning that should matter to every manufacturer running a shop floor: hackers linked to Iran were actively breaking into programmable logic controllers, the devices that run machinery in plants across the country. PLC security quickly became more than some abstract IT concern over night.

The attackers weren't using an advanced exploit. They were logging into PLCs sitting wide open on the public internet, using the same software the manufacturer's own engineers use to program them, and in more than a few cases, a password nobody ever bothered to change.

For a lot of manufacturing shops, this was the first time anyone connected the words "PLC" and "cybersecurity" in the same sentence. That needs to change, and fast.

 

Key Takeaways

  • In April 2026, federal agencies confirmed that hackers were actively targeting internet-exposed PLCs using default passwords and the manufacturer's own legitimate software instead of sophisticated exploits.
  • These are the controllers that run shop-floor machinery and are often not thought of as a cybersecurity threat even though thousands of these devices are still reachable from the open internet today.
  • This post covers why PLCs get left out of most security plans, what the current attack looks like, and the specific steps manufacturers need to take to get their controllers off the internet's front porch without slowing down production.

 

Table of Contents

  1. Why do PLCs Need Their Own Security Plan?
  2. The Attack That's Happening Right Now
  3. Why PLCs Get Left Out of the Security Conversation
  4. How Attackers Are Getting In
  5. How to Secure Your PLCs Without Slowing Down Production
  6. Where TMGC Fits In

 

Why do PLCs Need Their Own Security Plan?

A PLC, or programmable logic controller, doesn’t get patched like a laptop, and they weren't built with security in mind. Most were designed decades ago to be reliable and fast, not to fend off hackers. That gap between what a PLC was built to do and what it's now exposed to is exactly what the April 2026 advisory was about.

 

The Attack That's Happening Right Now

In April 2026, the FBI, CISA, the NSA, the EPA, the Department of Energy, and US Cyber Command jointly confirmed that Iranian-affiliated hackers were actively exploiting internet-facing PLCs, specifically Rockwell Automation and Allen-Bradley controllers, across US critical infrastructure and manufacturing. The attacks caused real operational disruption and financial losses.

The advisory, tracked as AA26-097A, described a campaign that had been running since at least March 2026. The attackers manipulated data on HMI and SCADA displays, interfered with PLC project files, and disrupted operations at facilities in water treatment, energy, and manufacturing.

What makes this campaign worth paying attention to on a Colorado shop floor, not just a water utility, is how the attackers got in. Researchers at Censys identified over 5,000 internet-exposed Rockwell and Allen-Bradley devices worldwide, with roughly three out of every four sitting inside the United States. Nozomi Networks' field CISO told reporters that more than 3,000 Rockwell devices remain visible on the public internet right now, often because the owner doesn't realize they're exposed or doesn't think it matters.

 

Why PLCs Get Left Out of the Security Conversation

PLCs fall into a blind spot because they're typically installed and maintained by a controls engineer or an outside integrator, not by IT. Once a machine is running, nobody circles back to check whether the controller is still secure. It just becomes part of the equipment, the same as a motor or a belt.

We see this constantly with manufacturing clients:

  • The PLC on the floor was set up years ago by an integrator who's long gone.
  • The password is whatever came on the device out of the box, because changing it felt riskier than leaving it alone.
  • Nobody in the building can tell you if that PLC can be reached from outside the network, because nobody has ever asked the question.

Most IT teams manage servers and workstations while control engineers manage machinery. PLCs sit in the middle, and in a lot of shops, nobody owns that middle ground.

 

How Attackers Are Getting In

The tactics behind the April 2026 campaign weren't complicated, which should be the alarming part for any manufacturers reading the news. The attackers used Rockwell's own Studio 5000 Logix Designer software, the same tool many of your engineers likely use, to connect directly to exposed controllers. They simply targeted a known authentication weakness in the software and walked in through the front door.

Once inside, they targeted specific ports tied to industrial protocols and deployed remote access tools to keep their foothold. The whole approach relies on three things being true: the PLC is reachable from the internet, its credentials are weak or default, and nobody is watching for unusual activity on that device. Those three conditions describe a huge number of shop floors right now, including plenty that have never had a single conversation about managed cybersecurity for their production equipment.

 

How to Secure Your PLCs Without Slowing Down Production

The good news is that the fixes here don't require ripping out equipment or halting a production run.

  • Get PLCs off the public internet: No controller should be directly reachable from outside your network. If remote access is needed for a vendor or an integrator, it should run through a secured, monitored connection, not a direct line to the device.
  • Change every default password: This sounds obvious, and it's still the single biggest gap federal agencies flagged in the April advisory.
  • Require MFA for remote OT access: Anyone connecting into your production network from outside, including vendors, should need more than a password.
  • Segment your network: Office systems, guest wifi, and production equipment shouldn't share the same flat network. If one gets compromised, segmentation keeps it from spreading. This is the same principle behind solid IT infrastructure management for the rest of your building.
  • Know what you have: You can't secure a PLC you don't know is on your network. A basic asset inventory of every controller, its IP address, and who can reach it is step one.
  • Keep tested backups of PLC project files: If a controller does get tampered with, having a clean, offline copy of its logic is what gets you back running fast instead of guessing at what changed.

 

Where TMGC Fits In

We work with manufacturers across Metro Denver and the Front Range who've spent years thinking about firewalls and email security without ever asking who can reach the PLC running their press. That gap is exactly where the April 2026 advisory should push every shop owner to look next.

If you run defense contracts on top of that, the stakes get higher. Exposed OT devices are the kind of gap that shows up fast in a CMMC compliance assessment. We build manufacturing IT services around this exact blind spot, connecting office and production networks the right way, with backups and recovery for production data built in from day one through our data protection approach.

You don't need to overhaul your shop floor to close this gap. You need someone to walk the network with you and tell you what's reachable. Reach out and we'll be happy to take a look!

 

Is Your Manufacturing Execution System a Security Risk?

6 min read

Is Your Manufacturing Execution System a Security Risk?

For many manufacturers, your Manufacturing Execution System is the best investment you’ve made in years. Work orders push to the floor automatically,...

Read More
Is Your Production Floor a Cybercriminal's Playground?

5 min read

Is Your Production Floor a Cybercriminal's Playground?

For the fifth year in a row, manufacturing absorbed more cyberattacks than any other industry on earth. According to IBM X-Force's 2026 threat report...

Read More
ERP Security for Manufacturers: Protecting the System Your Business Runs On

4 min read

ERP Security for Manufacturers: Protecting the System Your Business Runs On

Ask a shop owner what happens if their main CNC goes down for a week and you’ll get an answer before you finish the question: lost spindle hours,...

Read More