In a recent development, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded to an active cyberattack on a water facility in western Pennsylvania, shedding light on the exploitation of Unitronics programmable logic controllers (PLCs) within the Water and Wastewater Systems (WWS) sector.
The targeted facility, identified as the Municipal Water Authority of Aliquippa, fell victim to a cyberattack where threat actors successfully exploited Unitronics PLCs. Specifically, a Unitronics Vision Series PLC with a Human Machine Interface (HMI) was compromised, allowing unauthorized access to a remote booster station serving Raccoon and Potter Townships, according to a statement from the Water ISAC.
Fortunately, the water authority promptly responded by taking the affected system offline and transitioning to manual operations. CISA reassures the public that there is currently no known risk to the municipality's drinking water or water supply.
The utility's general manager, Robert J. Bible, spoke with CNN and discussed the incident:
"It's a pain. Somebody's got to wake up at 3 in the morning and go turn on or turn off those pump stations. It's just a big inconvenience until we can get the (automated) system back up and running."
After the hackers breached the facility, a message was displayed on a monitor that Israeli-made equipment was fair game, which is what the facility used. Bible touched on the fact that their small town water treatment facility was caught in the cyber crossfire of the ongoing war in the Middle East:
"That was maybe the furthest thing from my mind. Especially for a community. We only serve 15,000 people. You wouldn't put two and two together."
The attack has been linked to CyberAv3ngers, an Iranian-backed group known for its focus on targeting Israeli water and energy sites. Recent activities reported by the group include claiming responsibility for infiltrating water treatment stations in Israel, showcasing a history of targeting critical infrastructure.
In response to this incident, CISA has issued a set of urgent recommendations for organizations in the Water and Wastewater Systems (WWS) sector to enhance their cybersecurity posture and protect against potential threats. These recommendations include:
- Change all default passwords on PLCs and HMIs. Ensure the Unitronics PLC default password '1111' is not in use.
- Require multifactor authentication for all remote access to the OT network, including from the IT network and external networks.
- Disconnect the PLC from the open internet. If remote access is necessary, implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication. Unitronics also has a secure cellular based longhaul transport device that is secure to their cloud services.
- Back up the logic and configurations on any Unitronics PLCs to enable fast recovery. Become familiar with the process for factory resetting and deploying configurations to a device in the event of being hit by ransomware.
- If possible, utilize a TCP port that is different than the default port TCP 20256. Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC. Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection. If available, use PCOM/TCP filters to parse out the packets.
- Update PLC/HMI to the latest version provided by Unitronics.
As cybersecurity threats to critical infrastructure continue to evolve, it is crucial for organizations to proactively adopt and implement robust security measures.
The recent incident highlights the importance of securing PLCs in the WWS sector and serves as a reminder for organizations to stay vigilant, follow best practices, and collaborate with cybersecurity agencies to safeguard essential services and infrastructure.
By heeding the recommendations from CISA, water utilities can bolster their defenses and reduce the risk of future cyberattacks on vital systems.
Follow SecureWorld News for more stories related to cybersecurity.