An attacker may obtain the user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the PLC user program may be uploaded, altered, and/or downloaded.
https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf
https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer