{ "id": "93fd18e3-3980-46fe-b855-1648ff87d627", "created_at": "2026-04-06T00:22:23.366905Z", "updated_at": "2026-04-10T03:36:13.923857Z", "deleted_at": null, "sha1_hash": "943e0d9acbd1480cf66ad192033b1d7ff56e3f7e", "title": "How PLCs Work", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 894677, "plain_text": "How PLCs Work\r\nArchived: 2026-04-05 14:55:11 UTC\r\nHow PLCs Work\r\nOperations and connections\r\nHow PLCs work, or to use its full name, how\r\nProgrammable Logic Controllers work\r\nis what we're about to discover.\r\nLet's put the focus on the why and how PLCs tick.\r\nThe PLC is a specialist type of computer so the why and how PLC's work is needed to utilise them correctly and\r\nto your best advantage. They are used extensively but not solely in industry, to control machines and processes.\r\nBeing a computer, it shares common terms with the typical PC (Personal Computer) you'd have in your home.\r\nTerms like CPU (central processing unit), RAM \u0026 ROM (random access memory \u0026 read only memory), also\r\nsoftware, hardware and communications (Comms).\r\nThat's about where similarities end though as unlike a PC, the PLC is designed to be used in harsh and rugged\r\nindustrial conditions. Also the PLC needs to be and is, very flexible in how it can interface with inputs and outputs\r\nand other computers in the real world.\r\n- BTW -\r\nAlso in the interest of how PLCs work, you may like to see the PLC History or the Smallest PLC pages on this\r\nhttp://www.machine-information-systems.com/How_PLCs_Work.html\r\nPage 1 of 14\n\nwebsite.\r\nOr maybe you would like to register for our self teach PLC programming course which is in the making. Just a\r\nthought.\r\n- BTW -\r\nHOW PLCs WORK.\r\nThe components that make a modular PLC work can be divided into four core areas.\r\nThe backplane or rack and power supply.\r\nThe central processing unit (CPU).\r\nThe input/output (I/O) section.\r\nThe Program section.\r\nPLCs come in so many makes and different shapes and sizes. They can be so small as to fit in your pocket but also\r\nthe more involved controls systems can be as large as a wardrobe with several interconnected large PLC racks.\r\nThe smaller PLCs, also known as a brick type, are typically designed with fixed I/O points as low as 6 but also up\r\nto 256.\r\nFor our purposes of consideration here, we will be looking at the modular rack based systems as they have easily\r\ndefinable parts. They are called “modular” because the backplane rack can accept many different configurations\r\nand types of I/O modules that simply slide into the rack and plug in.\r\nConsequently a modular PLC can be custom built with whatever configuration of I/O is best suited to the job in\r\nhand. Along with a multitude of configurations that also means they can made as small or big as needed too.\r\nThe backplane - Rack and Power Supply.\r\nSo lets start off with the rack, this part provides the physical assembly for the PLC I/O as well as the bus\r\nconnections between all the parts. The bus refers to data-bus which is the Comms link between all the I/O under\r\nthe PLCs CPU control.\r\nhttp://www.machine-information-systems.com/How_PLCs_Work.html\r\nPage 2 of 14\n\nThe rack above is a Mitsubishi 'A' series rack with eight I/O slots and a power supply unit (PSU) slot. You may\r\nthink it doesn't do much and you'd be right, well on its own anyway. But, the rack is an important part of how\r\nPLCs work.\r\nHere it is again with the PSU slotted in place.\r\nOK, I said just now the rack is an important part of how PLCs work. It provides all the slotted in I/O modules with\r\npower from the PSU.\r\nhttp://www.machine-information-systems.com/How_PLCs_Work.html\r\nPage 3 of 14\n\nMore importantly, it also provides communications between the I/O modules installed and the PLC CPU. Now if\r\nyou look closely at the rack above it does not have a slot for the CPU.\r\nThat's because the rack pictured is what's known as an expansion rack. It's provides an I/O expansion to the PLC\r\nCPU rack, below is how it would look in a typical installation.\r\nCan you see the rack data cable connecting the expansion rack (on top) to the CPU rack (below)? It's the white\r\ncable snaking along the top of trunking. Well it started off white, this is a picture of a working panel.\r\nIf you look very closely you can see some of the input and output LED (Light Emitting Diode) lights are actually\r\non! As you may now realise this is quite typical of how a PLC CPU rack and Expansion rack set-up would look in\r\nreal working panel. The PLC in this panel is controlling an escalator for London's Underground no less.\r\nGiven the millions of people that use the London Underground Tube railway, gives an indication of just how PLCs\r\nwork very reliably day in and day out. Otherwise they wouldn't be in use there I can tell you.\r\nThe rack is the PLC component that actually holds everything together. Depending on the I/O needs of the PLC\r\ncontrol system being produced, it can be ordered in various different sizes to hold more modules. Also as you've\r\nseen here, it can be daisy chained together with additional racks called expansion racks.\r\nExpansion racks offer two advantages over just having one hugh long PLC rack for large I/O capable PLC\r\nsystems.\r\nOne, while expanding the I/O they are seperate to the CPU rack so can be stacked. This give the advantage of\r\nkeeping the width to a manageble size.\r\nTwo, while able to be positioned at heights within the cabinet and dividing up the wiring, they give almost\r\nlimitless expansion posibilities to the PLC.\r\nhttp://www.machine-information-systems.com/How_PLCs_Work.html\r\nPage 4 of 14\n\nLike the spine in the human body, the rack has a backplane at the rear\r\nwhich gives the physical support needed to the PLC modules/cards. As well as allowing all the modules/cards to\r\ncommunicate with the CPU via the back plane databus. This databus is a very important part of how PLCs work,\r\nallowing the CPU direct access to each individual module.\r\nThe power supply plugs into the rack as well (one for each rack) and supplies regulated DC power to all the\r\nmodules that plug into that rack.\r\nThe most popular power supplies in use are either the universal AC supply type (pictured here) which work with\r\nanywhere from 100V AC to 240V AC or 24V DC sources.\r\nHow PLCs work with the inputs and outputs is generally using 24V DC to give inputs and switch output devices\r\non.\r\nThat's why you can see in the PSU picture the 24V DC output as well as the 5V DC for the PLCs internal power\r\nand the universal AC input terminals.\r\nThe 24V DC supplied by a PLCs supply is generally quite low capacity and is only used to power the inputs for\r\nthe system. A separate PSU would be used more the more demanding output supply as these could be quite an\r\namount of Watts (Volts X Amps measurement).\r\nThe CPU - Central Processing Unit.\r\nHow PLCs work is down to the CPU, the CPU is the PLC part which is the brain of the whole PLC. This module\r\ntypically lives in the slot beside the power supply or is incorporated with a power supply. PLC Manufacturers do\r\noffer different types of CPUs and CPU/PSU combinations based on the complexity needs for the system.\r\nThe CPU is made up of several components, a microprocessor, memory chip or chips, I/O interfacing and other\r\nintegrated circuits (IC's) to control logic, monitoring and communications. CPU's vary in speed of operation, the\r\nprice going up along with the speed of the CPU of course.\r\nThe CPU itself has a few different operating modes.\r\nhttp://www.machine-information-systems.com/How_PLCs_Work.html\r\nPage 5 of 14\n\nProgramming Mode.\r\nRun Mode.\r\nStop Mode.\r\nReset Mode.\r\nIn Programming mode it accepts the downloaded program logic from the laptop or PC you would use to write\r\nthe controlling program. The CPU is then placed in run mode so that it can execute the program and operate the\r\ndesired process.\r\nIn Run mode the PLC is in full operation, doing all its self checks and operating governed by the program held in\r\nit. Reading the inputs and setting the outputs accordingly. Even conversing with other units via the RS232,\r\nProfibus, Scada or CC-Link.\r\nIn Stop mode it's as it says, stopped. Now you might not think this is a mode as such but since some programming\r\ncan be done while running, while some PLC programming functions require it to be stopped. Putting a PLC into\r\nStop mode also turns off all the outputs. Handy for checking inputs with causing anything to happen out of\r\nsequence.\r\nIn Reset mode is also as it says, it resets the PLC from operating conditions back to switch on position. When this\r\nis done without resetting any data memory registers, this is called a warm reset. If the reset performed is full, for\r\nexample resetting all I/O and data registers, it's called a cold reset.\r\nThe Scan-time\r\nBelow is the basic flow chart of how PLCs work through and process the I/O, their program operation and error\r\nchecks, know as the Scan process. The Scan-time is how long it takes the PLC to loop around the whole process\r\nback to the start, and can change depending on how much the Scan process has to do.\r\nhttp://www.machine-information-systems.com/How_PLCs_Work.html\r\nPage 6 of 14\n\nThe scan-time speed is very quick, and has to be as they're dealing with real time situations. The scan-time of a\r\nPLC happens in the order of 1/1000th's of a second. Sometimes it can even vary on a scan by scan basis\r\ndepending on program loops being switched in and out by inputs and/or program equations.\r\nMost of how PLCs work through their operational processes is similar to any CPU, a PLC program scan would\r\nfirst perform self-checks. Such as error check its own memory and integrated circuits to verify the CPU and\r\nassociated circuitry is actually operating correctly.\r\nThe next step is to error check any I/O modules fitted into the rack(s). This would include inputs, outputs, RS232\r\nmodules and in fact any and all modules fitted. Once it has a green light for all these will it then start on the\r\ncontrol program sequence.\r\nBefore it executes the user program, the PLC will scan the input modules, after that's complete it will execute the\r\nuser program. But since a PLC is a dedicated controller, it will only process this one program, it will go through\r\nhttp://www.machine-information-systems.com/How_PLCs_Work.html\r\nPage 7 of 14\n\nthe whole program once per scan.\r\nThe memory in the CPU stores the program in non-volatile RAM, which means it won't lose the program if the\r\npower is lost. It uses volatile and non-volatile RAM for holding the status of the I/O and providing a means to\r\nstore values. Some are kept at power down some are not.\r\nThen the PLC will update the outputs according to the condition of the inputs and the program logic instructions.\r\nThen the PLC repeats this process over and over again.\r\nThe finer points of how PLCs work does vary with different manufacturers, but this basic process outlined here\r\nholds good for all of them.\r\nThe input/output (I/O) section.\r\nThe I/O connectors on the PLC system provides the physical connection between the equipment and the PLC.\r\nOpening the little plastic cover doors on an I/O card reveals a terminal strip which is where the devices connect to.\r\nhttp://www.machine-information-systems.com/How_PLCs_Work.html\r\nPage 8 of 14\n\nAbove is a simple PLC wiring diagram (called a schematic), in this example you can see the PLC is a 24V DC\r\nsupply type. To show how PLCs work the PLC is shown just as a box. Sometimes not even that, more often then\r\nnot there's just a terminal with a reference to where it connects on the PLC I/O.\r\nThere are many different types and kinds of input and output cards which are picked depending on what type of\r\ncontrol system is needed. How PLCs work can be customised by the type of input and output cards picked so the\r\nCPU can use them for it’s logic control.\r\nIt's simply a matter of defining your PLC specification for which kind of inputs, outputs and Comms cards are\r\nneeded. Filling the rack with the appropriately picked cards and then addressing them correctly from within the\r\nCPUs program.\r\nThis addressing is easily done within the PLC parameters area of the ladder program these days, this tell the PLC\r\nwhich cards are fitted in the rack and at what position. Having said that, it is still possible to address them all\r\ndirectly from the ladder program, as the earlier PLC versions had to.\r\nThe Inputs.\r\nA PLC input device means anything that can give an input to the PLC, that can influence the programs operation.\r\nThese can consist of digital, analogue, switches, sensors, intelligent devices and even Comms modules.\r\n You would choose a digital input card to handle\r\ndiscrete devices such as push-buttons, micro-switches, selector switches, photocells and proximity sensors which\r\ngive a signal that has only two states. They are either on or off.\r\nThis type of device is what's called a bit device. This is because the full scale of their signal range, (called Full\r\nScale Deflection or FSD for short), can be represented by one bit. There are eight bits in a byte, computers talk in\r\nbytes or multiples of bytes. To help to understand more on how PLCs work see 32-Bit and 64-Bit computer\r\ndatabus.\r\nPLC digital input cards that handle discrete devices are available with anywhere from 8 to 128 inputs on a single\r\ncard that slot into the rack. However any more than 16 inputs on a card usually means having a breakout\r\nconnector as it's just not possible to connect that many wires onto the top of an input card on the PLC with built in\r\nscrew terminals.\r\nhttp://www.machine-information-systems.com/How_PLCs_Work.html\r\nPage 9 of 14\n\nA breakout connector is merely a means of fanning out the physical connection from the input or output card. This\r\nis achieved by using a multi-pole connector on top of the card which connects via a data cable to another card with\r\nall the screw terminals on it. It's this card that the discrete bit devices will connect to.\r\nAnalogue devices can also be input devices to PLCs, but due to how PLCs work, they needs a special card to\r\ntranslate their infinitely variable signal (which could be voltage or current) into something the CPU can\r\nunderstand. Analogue signals need to be, what's called digitised before the CPU can deal with them.\r\nThis simply means converting say a 0V to 10V DC signal that you might get from load cell or speed control\r\npotentiometer into a value. For example if 10V DC equalled a value of 4000 then 2.5V DC would equal 1000 and\r\n5V 2000. Also the FSD for this device would then be 4000 (just testing).\r\nExamples of analogue devices that you may come across are those like the previously mentioned reference setting\r\npotentiometers and load cells, as well as pressure transducers, flow meters and thermocouples for temperature\r\nreadings. There are many more of course, than just the ones I've mentioned here.\r\nI should also mention Comms modules, as they could be used as input devices, they are capable of conveying\r\neither type of signal as they communicate in bits and bytes, or in other words - values. These values could be\r\nrepresenting levels from previously digitised analogue devices, or lots of individual bit devices.\r\nLastly we'll give intelligent devices a mention too as, like Comms modules they too talk in values. Intelligent\r\ndevices would include things like DC and AC drives for motors, other PLCs, HMI screens (Human Machine\r\nInterface), remote I/O stations as well as sophisticated sensors such as cameras and position arrays.\r\nThe Outputs.\r\nNow, furthering how PLCs work it may not surprise you to know output devices can consist of digital (bit devices)\r\nand/or also analogue devices (value devices). Also the a fore mentioned Comms modules and intelligent devices\r\nare bi-directional devices and part of how PLCs work).\r\n Bi-directional devices, by their definition talk in\r\nboth directions, in other words they are simultaneously inputs and outputs at the same time. If you look at the\r\nRS232 pinouts you will see a Tx pin and an Rx pin, which stands for transmit and receive respectively. More\r\nbasically, this translates into talk (Tx) and listen (Rx).\r\nhttp://www.machine-information-systems.com/How_PLCs_Work.html\r\nPage 10 of 14\n\nPerhaps this is a good place to say as a prelude to the outputs, one of the reasons how PLCs work so well is\r\nbecause they are able to convert signals in both directions, in and out. It makes sense really, I mean if you have a\r\nvoltage or current reference input, sooner or later you're going to need a voltage or current output.\r\nThese input converting cards or modules are called A/D Converters, the 'A/D' bit stands for Analogue and Digital,\r\ncomplimenting the A/D converter input cards are the output converting cards called D/A Converters. As you can\r\nsee from the name the process is reversed.\r\nThis pair of PLC modules give us the the ability to convert an analogue signal into a digitally represented value,\r\nprocess it within the PLC program and then convert it back to an analogue signal again.\r\nAn analogue output card will convert a digital value or number sent held in a memory location by the CPU into a\r\nreal world voltage or current. Typical outputs signals can range from 0-10V DC, -10V to +10V DC or 4-20mA and\r\nare used to control servo drives and positioning controls as well as pressure regulators and level control systems.\r\nThis type of system is called 'Closed Loop' control.\r\nThe digital output card is the compliment to the digital input card and turns a (bit) device on or off such as lights,\r\nLEDs, small motors, solenoids (electromagnets), and relays. Digital output cards are available with 8 up to 128\r\noutput per card, but again like the input cards any more than 16 would need a connector breakout card because of\r\nthe physical space needed for the wire screw connections.\r\nThe Program.\r\nProgramming a PLC these days calls for a PC, specially dedicated software from the manufacturer of the PLC and\r\nmore often than not, a special connecting or programming lead. This pretty much covers the minimum that must\r\nobtained and used to program a PLC.\r\nThe most favoured and widely used form of programming language is called ladder logic. Ladder logic\r\nprogramming uses specific symbols instead of actual words. This came about as an emulation of the real world\r\nhard wired relay logic control in use long ago (and still). In a bid to make it easy for the technicians to see how\r\nPLCs work and be able to program the PLCs.\r\nAlthough sometimes considered by some as a a relic from the PLCs history. It does still mean it's relatively easy\r\nfor anyone with and understanding of relay type control wiring to program PLCs with little guidance. Or at the\r\nvery least, to understand how PLCs work and program them on the basic level anyway. As due to the\r\nadvancements in PLCs over the years, there are now some very complex instructions that may be used.\r\nThe input symbols are representations of real world normally open and normally closed switches, the output\r\nsymbols represents relays and lights connected by lines as though to show a wire. So the flow of current through\r\nthe switch and relay or light, like relay contacts and coils can be viewed like a real circuit, like this.\r\nhttp://www.machine-information-systems.com/How_PLCs_Work.html\r\nPage 11 of 14\n\nThis above is the simplest of programs that can be written for a PLC, that I might add, will actually work. A digital\r\ninput, like a push-button connected to the first input position on the card. When the input is made (the gap\r\nbridged) it turns on the output, which supplies power to energize an indicator light outside the PLC.\r\nThe completed program pages look like a ladder, which is why it's called Ladder Logic. The left and right rails,\r\nthe ladder uprights, indicate the positive and negative or ground of the power supply.\r\nhttp://www.machine-information-systems.com/How_PLCs_Work.html\r\nPage 12 of 14\n\nThe rungs of the ladder are the wiring between the different symbols or operations, which are (within the PLC) all\r\nin the virtual world of the PLCs CPU. So if you can understand how basic electrical circuits work (as do\r\ntecnicians and engineers) then you can understand ladder logic and therefore how PLCs work.\r\nThe completed program (which would be much longer than this one in practice) is downloaded from the PC to the\r\nPLC using the special programming or connection cable. It connects between a serial port on the PC to the\r\nprogramming connector on the front of the PLC CPU and is usually RS232 wiring. When downloaded the CPU is\r\nthen put into run mode so that it can start scanning the inputs, program logic and controlling the outputs.\r\nThe PLC Program Symbols.\r\nThe program symbols used within the PLC determine how PLCs work and what functions the PLC carries out and\r\nhttp://www.machine-information-systems.com/How_PLCs_Work.html\r\nPage 13 of 14\n\nwhen. A different PLC program symbol used can completely change the operation of identical rungs of a program\r\nladder.\r\nIn this following paragraph I will be referring specifically to Mitsubishi PLCs as this is the make I am most\r\nfamiliar with. But, having said that the comments here will transpose to other makes of PLC quite happily.\r\nAs a very quick example to start with, take the ladder rung at the very top of this page. If the output symbol [Y0]\r\nwas change to an internal relay symbol [M0], this program rung would then be no longer controlling a relay or\r\nvalve in the real world.\r\nIt would only be switching an internal relay (memory bit) within the PLC. This rung would only then be able to\r\naffect a change in the real world if this M0 bit was subsequently used in a rung using or affecting a [Y0] to [Yn]\r\noutput. Incidentally, Yn is an expression used to indicate any number of available outputs.\r\n* more to follow *\r\nThat's about it for how PLCs work, at the more basic end of course, no point bombarding you with too much at\r\nonce.\r\nI hope our 'How PLCs Work' page has helped you in your quest for knowledge.\r\nPlease, choose one of the links below for more related information.\r\nGo from How PLCs Work to our PLC Tutorial page.\r\nHave s look-see about the Smallest PLC page.\r\nReturn from How PLCs Work to the PLC page.\r\nReturn from here to the Home page.\r\nPLEASE feel free to use this button and donate You Are Secure!\r\nSource: http://www.machine-information-systems.com/How_PLCs_Work.html\r\nhttp://www.machine-information-systems.com/How_PLCs_Work.html\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "http://www.machine-information-systems.com/How_PLCs_Work.html" ], "report_names": [ "How_PLCs_Work.html" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434943, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/943e0d9acbd1480cf66ad192033b1d7ff56e3f7e.pdf", "text": "https://archive.orkl.eu/943e0d9acbd1480cf66ad192033b1d7ff56e3f7e.txt", "img": "https://archive.orkl.eu/943e0d9acbd1480cf66ad192033b1d7ff56e3f7e.jpg" } }