The Problem with Internet-Connected PLCs Isn't New

Up close view of PLC switchgear.

April 21, 2026

Recent headlines about Iranian state-linked activity targeting internet-connected PLCs have put a spotlight on a real issue:

If a PLC is exposed to the internet, it is already at risk.  

We discussed that topic with Travis Noteboom, Operational Technology (OT) Manager at Interstates, and Joe Breeden, Director of OT Cybersecurity at Interstates. Their perspective was consistent: the headlines may be new, but the underlying risk is not. As Joe put it, “Security is not something you only worry about when there’s a news release.”  

What "Internet-Connected PLC" Means 

At a practical level, this usually means a PLC can be reached from outside your network. That could happen if it is directly exposed, if a cellular modem provides a path in, or if remote-access tools and network settings leave a door open that was never fully closed. 

Travis described it plainly: “Your PLC is connected in a way that it’s directly accessible from the internet.” Joe added that “there’s no safeguard in place between your PLC and the internet.”   

If someone outside your environment can reach the device, that device is more exposed than it should be. 

Icon of a person with a triangular warning sign containing an exclamation point, representing human error or caution related to user actions.

Why This Is a Risk, Even Without the News 

The reason internet-connected PLCs are a concern is simple: once something is reachable from the internet, it can be found, scanned, and targeted. That’s always been true. The current headlines just make the issue more visible.  

Joe compared it to weather alerts: “If it’s already 100 degrees that week, I should have already been wearing sunscreen. The fact that it’s 105 is just another number that doesn’t change the threat.” In other words, the warning may be new, but the risk was already there.  

In many cases, the bigger concern is not the PLC alone, but the conditions that allowed it to become internet-connected: 

  • remote access tools 
  • vendor connections 
  • network settings that were meant to be temporary 
  • equipment installed as part of a project, but never fully reviewed after commissioning

Many of these situations are not the result of bad intent. More often, something was added to get a job done, and nobody circled back to make sure it was fully secured. 

What the Iran Headlines Do (and Do Not) Mean 

The current attention around Iran does not mean every PLC is suddenly in danger only because of this event. It means the issue is newsworthy right now. 

Joe’s framing was direct: “It’s not like if this war ends tomorrow, that the threat goes away.” The real problem is exposure, not the headline itself.  

That’s why the right response is not panic. It’s a quick check of your own exposure. 

Line icon of a magnifying glass, representing search, inspection, or analysis.

What to Check First 

If you want a fast gut check, start with these questions: 

  • Do we know whether any PLCs are reachable from the internet? 
  • Do we have a firewall or safeguard between PLCs and public access? 
  • Does remote access require multi-factor authentication? 
  • Are we using a trusted, approved remote access solution? 
  • Do operator stations or vendor tools have broader internet access than they should? 
  • Have we ever opened access temporarily and forgotten to close it? 

Travis noted that if multi-factor authentication (MFA) is part of the remote-access process, that is often a good sign that the environment has some basic controls in place. It’s not a guarantee, but it’s a meaningful indicator that access is being handled thoughtfully.  

If you’re not sure, that’s already a signal to dig deeper. 

A Practical Way to Check 

If you want another way to validate exposure, Shodan can be a useful tool for finding internet-facing devices. Travis suggested that if you search for your own environment and find it there, that’s a strong signal that something is reachable from the public internet.  

That doesn’t replace a proper internal review, but it can help confirm whether anything unexpected is visible from outside.

What Good Remote Access Looks Like 

Good remote access should feel controlled, intentional, and limited. At a minimum, it should: 

  • require multi-factor authentication 
  • use trusted, reputable tools 
  • avoid consumer-grade or homegrown solutions 
  • give access only where and when it is needed 
  • be reviewed when the project is done 

If the setup is hard to explain clearly, or nobody can confidently describe how it's protected, that's worth a closer look. 

The Takeaway 

Internet-connected PLCs are not a “today only” problem. They are a standing risk any time a device is exposed to the internet or reachable through a weak remote-access path. The recent headlines are a reminder to verify what is connected, how it is connected, and whether any access that was added for convenience should still be there. 

Travis Noteboom leads Interstates' team of professionals focused on designing and protecting network and server infrastructure for industrial clients. With 12 years at Interstates, he brings deep experience helping organizations strengthen the security and reliability of the systems they depend on. 

Joe Breeden leads Interstates' OT cybersecurity efforts, bringing more than 25 years of experience across academia, Fortune 500 IT leadership, and industrial cybersecurity. After 16 years as a professor of information systems and nearly a decade in corporate IT and cyber leadership, he has spent the past two years helping Interstates' industrial clients strengthen their OT security.