CISA responds to active exploitation of Unitronics PLCs in water and wastewater systems sector

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced Tuesday that it is responding to active exploitation of Unitronics programmable logic controllers (PLCs) used in the water and wastewater systems (WWS) sector. The cyber threat actors likely accessed the affected device—a Unitronics Vision Series PLC with a Human Machine Interface (HMI)—by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet. 

The security agency revealed that cyber threat actors are targeting PLCs associated with WWS facilities, including an identified Unitronics PLC, at a U.S. water facility. “In response, the affected municipality’s water authority immediately took the system offline and switched to manual operations—there is no known risk to the municipality’s drinking water or water supply,” it added. 

The Pennsylvania State Police is currently investigating the Unitronics exploitation.

WWS sector facilities use PLCs to control and monitor various stages and processes of water and wastewater treatment, including turning on and off pumps at a pump station to fill tanks and reservoirs, flow pacing chemicals to meet regulations, gathering compliance data for monthly regulation reports, and announcing critical alarms to operations. 

CISA identified that attempts to compromise WWS integrity via unauthorized access threaten the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities.

A local Pittsburgh news channel (KDKA) reported that on Saturday the Municipal Water Authority of Aliquippa in western Pennsylvania was attacked by an Iranian-backed cyber group known as CyberAv3ngers. The hackers are said to have taken control of the booster station that monitors and regulates pressure for Raccoon and Potter Townships. An alarm reportedly went off as soon as the attack occurred. The compromised device is reported to be a Unitronics PLC, which has been disabled and is being operated manually.

The WaterISAC noted that “the news site has posted an image stating it was submitted by the water authority. The image suggests the attacker’s message is displayed on the system that was compromised with the Unitronics device and model (V570). While there’s generally nothing wrong with providing attackers messages to the media, perhaps better operational security should be maintained by cropping the image to omit the device and model or other key data.”

Founded in 1989, Israeli company Unitronics specializes in automation control. They have extensive experience in various industries such as automated parking systems, packaging and palletizing, energy production, agriculture, food, HVAC, dairy, chemical, wastewater, boiler industries, plastic extrusion, and other industrial channels. Unitronics has a global presence with two divisions – Unitronics Automation Solutions and Unitronics Products Division, operating across 55 countries and having a network of professionals including distributors, sales reps, and local service agents worldwide.  

“From a Nov. 27, 2023, Shodan search on Unitronics systems, there are more than 220 Unitronics systems in the U.S. and more than 1800 worldwide,” cybersecurity expert Joe Weiss detailed in his latest blog post. “One wonders who else has been hacked, or when they will be attacked. Imagine what damage could accrue if the attack targeted other control system suppliers.”

To secure WWS facilities against this threat, CISA urges organizations to change the Unitronics PLC default password and validate that the default password ‘1111’ is not in use. They must also require multi-factor authentication for all remote access to the OT network, including from the IT and external networks. 

Furthermore, organizations must disconnect the PLC from the open internet. If remote access is necessary, implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable multi-factor authentication for remote access even if the PLC does not support multi-factor authentication. Unitronics also has a secure cellular-based long-haul transport device that is secure to their cloud services.

CISA also urged the WWS sector to back up the logic and configurations on any Unitronics PLCs to enable fast recovery. “Become familiar with the process for factory resetting and deploying configurations to a device in the event of being hit by ransomware. If possible, utilize a TCP port that is different than the default port TCP 20256. Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated with Unitronics PLC. Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection. If available, use PCOM/TCP filters to parse out the packets,” it added.

Additionally, organizations must update PLC/HMI to the latest version provided by Unitronics.

The WaterISAC will also be monitoring this situation for updated information and will advise of any significant developments. “To help prevent incidents, WaterISAC encourages water and wastewater utilities to sign up for CISA’s free Cyber Vulnerability Scanning (VS) service. The VS service continuously assesses the health of internet-accessible assets by checking for known vulnerabilities, weak configurations – or configuration errors – and suboptimal security practices,” it added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.