CISA Warns of Unitronics PLC Exploitation Following Water Utility Hack

CISA Warns of Unitronics PLC Exploitation Following Water Utility Hack

November 29, 2023 at 08:36AM

Hackers breached the Municipal Water Authority of Aliquippa’s ICS in Pennsylvania but didn’t compromise water safety. CISA linked the attack to the Cyber Av3ngers, possibly Iran-based, targeting an insecure Israeli-made Unitronics PLC. CISA advised stronger security measures for such systems given rising cyber threats to the water sector.

**Meeting Takeaways:**

1. **Incident Summary** – The Municipal Water Authority of Aliquippa in Pennsylvania suffered a cyberattack on their ICS that did not compromise water safety.

2. **Attack Vector** – Hackers took control of an internet-accessible Unitronics Vision PLC system used to monitor and regulate water pressure.

3. **Perpetrators** – Claimed responsibility by the Cyber Av3ngers group, with possible anti-Israel motives and links to Iran.

4. **Unitronics PLC Vulnerability** – Unitronics Vision PLCs have known critical vulnerabilities and often suffer from insufficient security measures, such as internet exposure without needed authentication.

5. **CISA Advisory** – The agency attributed the cyberattack to exploitation of cybersecurity weaknesses, namely poor password management and internet exposure.

6. **Protection Measures** – CISA recommends changing the default passwords, enabling multi-factor authentication, preventing direct internet exposure, making backups, changing default ports, and updating the devices to the latest version for organizations using Unitronics PLCs.

7. **Sector Impact** – An attack on water and wastewater systems’ PLCs could severely impact the provision of clean water and management of wastewater.

8. **Rising Threats and Assistance** – With increasing cyberattacks on the water sector, CISA offers a vulnerability scanning service for these systems.

9. **Related Information** – Instances of cyberattacks on water systems are noted, including a charge against a former contractor, the EPA’s mandate for states to report cyber threats to water systems, and unpatched flaws that leave water pump controllers open to attacks.

Full Article