Thiago Alves, Ph.D. CPE 2019
Thiago Alves is the creator of OpenPLC, the first widely adopted open-source programmable logic controller platform. OpenPLC is now used in classrooms, research labs, and industrial testbeds around the world. By lowering the barrier to hands-on industrial control, it has enabled universities to teach real PLC concepts without costly hardware, helped researchers prototype and evaluate security for critical infrastructure, and given engineers a flexible platform for interoperability and resilience testing. Thiago’s work on OpenPLC led to a DEFCON talk, published CVEs, and a career bridging academia, consulting, and product engineering.
Thiago earned his Ph.D. in Computer Engineering with a focus on cybersecurity from UAH in 2019, after completing his B.S. in Electrical Engineering at Pontifícia Universidade Católica (PUC) in Brazil. In a recent conversation with Dr. Aleksandar Milenkovic, Chair of the ECE Department, Thiago reflected on his journey from student to innovator and how his time at UAH shaped his path.
Tell us more about your upbringing and when you decided to become an engineer.
I grew up in a family of dentists. My father, grandfather, and older brother all became dentists, but I was always drawn to understanding how things work. In high school, I split my time between a traditional school and a technician school, where the curriculum focused on electricity, mechanics, and automation. That hands-on experience made engineering feel tangible.
At PUC, I gravitated toward computer engineering topics within electrical engineering such as computer architecture, operating systems, embedded systems, and kept building things. Toward the end of my undergrad, I interned at a car manufacturing facility, which was my first exposure to a real automation plant.
How did that factory internship lead you toward PLCs and, eventually, OpenPLC?
I was asked to automate a crash-test procedure, but there wasn’t a budget to buy a PLC. So, I turned to older hardware and low-cost electronics. Naively, I thought a PLC was just “a microcontroller with relays.” That oversimplification ended up sparking my curiosity to dig deeper.
I built a working solution using inexpensive components and presented it to the engineering team and company president. It worked, and they loved it! That experience planted the seed for OpenPLC: a capable, open, and accessible PLC platform for everyone.
What brought you to UAH for your Ph.D., and what stood out when you arrived?
I connected with Dr. Tommy Morris when he moved from Mississippi State to UAH to help establish the new Center for Cybersecurity Research and Education (CCRE). UAH had great labs and equipment, but what stood out most were the people and culture. I could dive into cybersecurity while collaborating with faculty in computer architecture, IoT, and operating systems.
Dr. Morris gave me the freedom to explore my research in my own way. He didn’t push specific topics but instead offered guidance and support that allowed me to shape my own path. That freedom was fundamental to my growth, and I was very fortunate to have him as my advisor.
What were some milestone moments from your Ph.D. work?
My research on OpenPLC led to several milestones. I discovered vulnerabilities in commercial PLCs and earned my first CVEs, including a Modbus stack issue in a Rockwell MicroLogix PLC and a design flaw in Schneider Electric’s M221 protocol that allowed remote password retrieval. With Dr. Morris’s guidance, we reported these responsibly through ICS-CERT and worked with vendors on mitigation strategies.
Another highlight was winning first place at NYU’s CSAW cybersecurity competition. And, of course, presenting my work at DEFCON, the world’s largest hacker conference, where I demonstrated live attacks in a controlled setting to a crowd of more than a thousand people. OpenPLC became my “business card” as it opened doors to collaborations and industry opportunities.
Walk us through your path after graduating from UAH.
After graduation, I joined Deloitte as an Advisory Specialist Master, applying my industrial control and security research to real-world systems. In 2020, I became Head of Security Research at Mosyle, where we launched multiple security products and I learned extensively from close collaboration with the CEO.
In 2023, I founded Autonomy, the company behind OpenPLC, to give OpenPLC a dedicated team and focus. Around the same time, I joined FACTS Engineering as a Senior Firmware Engineer, staying connected to the industrial automation field while building the foundation for my own company.
What is Autonomy, and how are you balancing open-source with a business model?
OpenPLC remains open-source at its core. Autonomy builds on top of it with managed services and cloud features for larger organizations, ensuring the ecosystem stays open while becoming sustainable.
Strategic partnerships accelerated our growth. One key early partner was Arduino, whose CEO, Fabio Violante, reached out as they explored PLC technology. With that momentum, we’ve assembled a focused team to harden and redesign OpenPLC for industrial-grade use.
In hindsight, what did UAH do especially well for you?
UAH gave me freedom within mentorship. I had the right tools, supportive faculty, and a welcoming Huntsville community. That environment allowed me to dive deep into OpenPLC and ultimately take the work beyond the lab.
Parting advice for students who want to follow a similar path?
Live your own journey. Don’t chase someone else’s formula for success. Measure achievement by the impact of your work and the pride you take in it, not just numbers or titles. If you keep improving the field and yourself, the rest will follow.
We’re proud of you and your accomplishments and we will always be rooting for your continued success.