CISA urges water facilities to secure their Unitronics PLCs

News that Iran-affiliated attackers have taken over a programmable logic controller (PLC) at a water system facility in Pennsylvania has been followed by a public alert urging other water authorities to immediately secure their own PLCs.

“The cyber threat actors likely accessed the affected device—a Unitronics Vision Series PLC with a Human Machine Interface (HMI)—by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet,” the Cybersecurity and Infrastructure Security Agency (CISA) noted.

The PLC in question has a known default password and uses a known default port (TCP 20256), CISA explained, and urged organizations to:

• Change the default password
• Change the default port used by the PLC (if possible)
• Disconnect the PLC from the open internet or, at least, control and protect remote access to it via firewall, VPN, and multi-factor authentication
• Update the PLC/HMI to the latest software/firmware version provided by Unitronics

Finally, CISA says, organizations should back up the logic and configurations on any Unitronics PLCs, so that “in the event of being hit by ransomware”, they can quickly reset the devices and restore the configurations.

Not the only targeted organizations

Luckily for that water authority’s customers, the threat actors seem to have only been interested in getting their political message across. Also, the compromise was detected immediately, so the authority could quickly switch to manual operations.

The North Texas Municipal Water District was not so lucky, as it has apparently been hit by the ransomware gang Daixin Team and the attack affected their business network and phone system (but not their water, wastewater, and solid waste services).

Daixin Team claims to have stolen sensitive data and encrypted over 300 of NTMWD’s servers.

Critical infrastructure under attack

Cyber attackers (and especially ransomware gangs) targeting organizations in critical infrastructure sectors is nothing new: healthcare organizations, in particular, are under a constant barrage.

Organizations running water and wastewater systems are definitely in a disadvantaged situation, as they often have no IT/OT security team and just a small IT team with limited resources and training to keep systems secure and fight cyber attackers off.

But at least in the US, CISA offers help in the form of free cyber vulnerability scanning (to identify vulnerabilities in internet-accessible assets and internet-exposed services) and cybersecurity services.

UPDATE (December 1, 2023, 04:30 a.m. ET):

The vulnerability – default administrative password on Unitronics Vision Series PLCs and HMIs – has been assigned the following designation: CVE-2023-6448.