CISA (Cybersecurity & Infrastructure Security Agency) is warning that threat actors breached a U.S. water facility by hacking into Unitronics programmable logic controllers (PLCs) exposed online.
PLCs are crucial control and management devices in industrial settings, and hackers compromising them could have severe repercussions, such as water supply contamination through manipulating the device to alter chemical dosing.
Other risks include service disruption leading to a halt in water supply and physical damage to the infrastructure by overloading pumps or opening and closing valves.
CISA confirmed that hackers have already breached a U.S. water facility by hacking these devices. However, the attack did not compromise potable water safety for the served communities.
“Cyber threat actors are targeting PLCs associated with WWS facilities, including an identified Unitronics PLC, at a U.S. water facility,” reads CISA’s alert.
“In response, the affected municipality’s water authority immediately took the system offline and switched to manual operations—there is no known risk to the municipality’s drinking water or water supply.”
The agency underlines that the threat actors take advantage of poor security practices to attack Unitronics Vision Series PLC with a human-machine interface (HMI) rather than exploit a zero-day vulnerability on the product.
The recommended measures for system administrators are:
- substitute the default Unitronics PLC password, ensuring “1111” is not used.
- execute MFA (multi-factor authentication) for all remote access to the Operational Technology (OT) network, including access from IT and external networks.
- Disconnect the PLC from the open internet. If remote access is necessary, use a Firewall/VPN setup to control access.
- Regularly back up logic and configurations for quick recovery in case of ransomware attacks.
- Avoid using the default TCP port 20256, which is commonly targeted by cyber actors. If possible, use a different TCP port and utilize PCOM/TCP filters for additional security.
- Update the PLC/HMI firmware to the latest version provided by Unitronics.
While CISA’s advisory did not specify the threat actor behind the attacks, Cyberscoop reported that a recent hack on the Municipal Water Authority of Aliquippa, Pa., was conducted by Iranianian attackers.
As part of this attack, the threat actors hijacked Unitronics PLCs to display a message from the threat actors.
CISA also announced in September 2023 a free security scans program for critical infrastructure facilities admire water utilities to help them recognize security gaps and protect their systems from opportunistic attacks.