The Cybersecurity & Infrastructure Security Agency, or CISA, has issued a warning that malevolent actors leveraged online vulnerabilities in Unitronics programmable logic controllers (PLCs) to compromise a water facility in the United States.
In industrial settings, PLCs are essential control and management tools. If hackers manage to compromise them, the consequences could be dire, like contaminating the water supply by manipulating the device to change chemical dosage.
Additional hazards include a breakdown in service that prevents the water supply from continuing as well as physical harm to the infrastructure from overtaxing pumps or opening and closing valves.
CISA verified that by hacking these devices, hackers have already gained access to a U.S. water facility. Nonetheless, the attack did not jeopardize the communities served by safe drinking water.
“Cyber threat actors are targeting PLCs associated with WWS facilities, including an identified Unitronics PLC, at a U.S. water facility,” according to the alert.
“In response, the affected municipality’s water authority immediately took the system offline and switched to manual operations—there is no known risk to the municipality’s drinking water or water supply.”
Instead of taking advantage of a zero-day vulnerability in the product, the agency emphasizes that the threat actors target Unitronics Vision Series PLC through a human-machine interface (HMI) by taking advantage of lax security procedures.
The actions that system administrators are advised to take are:
- Make sure “1111” is not used when changing the Unitronics PLC’s default password.
- Enable multi-factor authentication, or MFA, for all remote access points to the Operational Technology (OT) network, including those from external networks and IT departments.
- Take the PLC off of the public internet. Use a firewall and VPN configuration to manage access if remote access is required.
- Backup logic and configurations often to ensure a speedy recovery in the event of a ransomware attack.
- Steer clear of using the default TCP port 20256 as cybercriminals frequently target it. For added security, try using a different TCP port and making use of PCOM/TCP filters.
- Install the most recent Unitronics PLC/HMI firmware update.
Cyberscoop revealed that Iranian hackers were responsible for a recent hack on the Municipal Water Authority of Aliquippa, Pennsylvania, despite the fact that CISA’s advisory did not identify the threat actor behind the attacks.
The threat actors used Unitronics PLCs as a means of hijacking them in order to display a message.
In order to assist critical infrastructure facilities, such as water utilities, in identifying security flaws and safeguarding their systems against opportunistic attacks, CISA also announced in September 2023 a free security scan program.
Multiple US water utility hacks are being looked into by the federal government
According to two people familiar with the investigations, the federal government is looking into a number of hacks against American water facilities that use Israeli-made technology that may have been carried out by a cyber group connected to the Iranian government.
One of the hacks garnered media attention on Saturday, a group with ties to Tehran, took credit for attacking a Pennsylvania water authority. According to the two people who were given anonymity to discuss information that was not yet public, the government is aware of and investigating a “single-digit” number of facilities that have been impacted nationwide.
The people who were hacked claim that none of the attacks significantly disrupted their lives, but cyber experts who are aware of the Pennsylvania incident claim that the activity seems to be intended to incite doubts about using Israeli devices.
Since Israel and the militant organisation Hamas, which Tehran has long supported, erupted into the most recent conflict, Washington has been bracing for increased cyber breaches from Iran. A wave of recent drone and rocket attacks on American troops in the Middle East by Iranian proxy groups also coincide with it.
Generally speaking, water facilities are one of the most vulnerable aspects of the American infrastructure, frequently because smaller utilities lack the resources and staff to address the problem. In an effort to solve this issue, the Biden administration has increased its collaborations with private companies operating in the water industry.
Authorities claim that in the hack on Saturday, a group known as Cyber Av3ngers—which they believe may have connections to the Iranian government—broke into and disabled a digital control panel manufactured by Unitronics, an Israeli-owned business, at the Municipal Water Authority of Aliquippa, outside of Pittsburgh. The control panel’s digital display screen, which regulates water pressure automatically, was also taken over by the group, and they changed it to say: “Every equipment ‘Made in Israel’ is Cyber Av3ngers legal target.”
Water authority general manager Robert Bible told POLITICO on Monday that the authority has not experienced any service disruptions at the affected station, which serves 1,200 people, and that attackers could not change the chemicals used in drinking water if they had control over the Unitronics devices.
The Pennsylvania State Police communications office director, Lt. Adam Reed, confirmed on Tuesday that federal authorities had taken over the investigation into the Aliquippa incident. Bible said he has been in constant communication with the FBI, the Department of Homeland Security, and the Cybersecurity and Infrastructure Security Agency since the attack last weekend. These organisations are among those investigating the case.
Bible warned that there had been no real impact, even though the utility is manually running the water pumps at the affected station while the authorities look into the incident. “Everything is operating as it should,” he stated.
Unitronics PLC is a widely used product worldwide. According to Hegel, as of Tuesday afternoon, about 1,500 variants of the Unitronics PLC that was compromised in Aliquippa were still open to exploitation.
The danger posed to water facilities was highlighted on Tuesday when it was revealed that a 2 million-person utility in North Texas had been compromised by an unidentified hacker group, seemingly unconnected to the Pennsylvania attack. The North Texas Municipal Water District did not use Unitronics products, according to a representative for the utility.