Water Facilities Targeted in Active Exploitation of Unitronics PLCs

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about the active exploitation of Unitronics programmable logic controllers (PLCs), a technology widely utilized in the Water and Wastewater Systems (WWS) sector. Specifically, an identified Unitronics PLC at a U.S. water facility has been compromised, as revealed in CISA's advisory. While CISA assures that the affected municipality's water supply remains secure, the potential unauthorized access to WWS facilities poses a significant risk to the proper functioning of water and wastewater treatment processes. PLCs play a crucial role in controlling and monitoring the "various stages and processes of water and wastewater treatment, including turning on and off pumps at a pump station to fill tanks and reservoirs, flow pacing chemicals to meet regulations, gathering compliance data for monthly regulation reports, and announcing critical alarms to operations," as explained by CISA.

CISA recommends several measures for securing Unitronics PLC devices, including changing default passwords, implementing multifactor authentication for remote access, disconnecting PLCs from the open internet, utilizing firewalls/VPNs for controlled network access, regular backups for swift recovery, employing alternative TCP ports, and ensuring PLC/HMI systems are updated to the latest versions provided by Unitronics. The advisory underscores the critical importance of these precautions to mitigate the risk of unauthorized access that could compromise the integrity of water and wastewater management systems.

In recent weeks, multiple water utilities have fallen victim to nefarious cyber actors. Allegedly, the hack on the Municipal Water Authority of Aliquippa in Pittsburgh, Pennsylvania, was initiated by the pro-Iranian group Cyber Av3ngers. Additionally, the Daixin ransomware team was responsible for the attack against the North Texas Municipal Water District (NTMWD). Despite CISA's advisory refraining from naming a specific threat group or entities impacted, it highlights the growing threat landscape targeting critical infrastructure.