A US water treatment facility has been breached by hackers, according to the Cybersecurity & Infrastructure Security Agency (CISA).
The hackers breached the facility by exploiting the poor default security measures of Unitronic programmable logic controllers (PLCs).
The PLCs were confirmed as the source of the breach by CISA, but the agency stated that the hackers had not affected the water within the facility.
Vulnerabilities need plugging
The PLCs targeted by the hackers are usually responsible for control and management of critical infrastructure, and could be used maliciously within a water facility to contaminate supplies, turn off the municipal supply of water, or damage the structures within the facility.
A similar attack, attributed to Iranian hackers, took place targeting a water facility in Philadelphia, however CISA did not confirm who was behind the most recent attack.
In a statement from CISA regarding the attack, the agency reported, “Cyber threat actors are targeting PLCs associated with WWS facilities, including an identified Unitronics PLC, at a U.S. water facility.”
“In response, the affected municipality’s water authority immediately took the system offline and switched to manual operations—there is no known risk to the municipality’s drinking water or water supply.”
CISA also released guidance for organizations on how to keep Unitronic PLCs secure:
- Change the Unitronics PLC default password—validate that the default password “1111” is not in use.
- Require multifactor authentication for all remote access to the OT network, including from the IT network and external networks.
- Disconnect the PLC from the open internet. If remote access is necessary, implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication. Unitronics also has a secure cellular based longhaul transport device that is secure to their cloud services.
- Back up the logic and configurations on any Unitronics PLCs to enable fast recovery.
- Become familiar with the process for factory resetting and deploying configurations to a device in the event of being hit by ransomware.
- If possible, utilize a TCP port that is different than the default port TCP 20256. Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC. Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection. If available, use PCOM/TCP filters to parse out the packets.
- Update PLC/HMI to the latest version provided by Unitronics.
Via BleepingComputer