Water Supply Utilities Targeted by Threat Actors
It appears threat actors are starting to build skills at targeting specific assets used in industrial and critical infrastructure environments.
The latest example is an attack documented by CISA (see here), where threat actors affiliated with an Iranian-backed cyber group hacked programmable logic controllers (PLC) used at Municipal Water Authority of Aliquippa in Pennsylvania.
The affected PLCs are made by Unitronics, a company that specializes in the design and manufacturing of PLC and human-machine interface (HMI) solutions used in various industrial and manufacturing applications to control and automate processes.
The water facility is using Unitronics PLCs to monitor and regulate water pressure at several sites. Few details are known, but it appears the attackers were able to gain remote control of a booster station serving two townships, which triggered an alarm.
A closer look reveals that the attack was very trivial in nature. First, Unitronics PLCs and HMIs appear to have a default password ("1111") which is rarely modified. Also, the devices are often exposed on the public internet with a default port TCP 20256.
This makes it very easy to compromise the devices, but it also shows the a lack of basic security at critical infrastructure companies. For ex. standards and best practices such as ISA/IEC 62443 stress the importance of partitioning critical systems into a set of interconnected zones based on an analysis of functionality, combined with a risk assessment for each functional area. Any risk assessment in such circumstances would find internet exposed devices a clear red flag.
Yet even today, a Shodan search indicates approximately 1600 Unitronics PLC devices are reachable globally. Around 280 of those are of the type in use by the affected water utility.
Although the attack is anything but sophisticated, it highlights glaring security issues with PLC and HMI devices in critical infrastructure: from weak authentication (default passwords) to lack of any network segmentation or access controls.
That's why in the modern threat landscape where attackers are increasingly focusing their attention on OT technologies, it becomes ever more important to perform risk assessments. Lear how to make them easier and more effective in our upcoming webinar: