CISA reaching out directly to water utilities about exposed Unitronics devices

A top official at the Cybersecurity and Infrastructure Security Agency (CISA) said the agency is working to identify water utility operators using devices from Israeli company Unitronics and notifying those organizations if they are at risk of cyberattack.

The agency’s outreach comes as cybersecurity officials within the U.S. government have raised alarms after a group allegedly connected to Iran’s Islamic Revolutionary Guard Corps (IRGC) attacked Unitronics hardware used by a water utility in Pennsylvania.

“We are working to identify operators using these devices. And our regional teams are conducting notification for those organizations that are using these devices to the Internet so that they can take action before an intrusion occurs,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, told reporters on Monday.

Since the Pennsylvania incident, several other water utilities and organizations involved in water distribution have confirmed cyberattacks.

The media briefing on Monday included also officials from the FBI and U.S. Environmental Protection Agency. Officials said they are tracking a small number of impacted water utilities at this point.

The concern centers around Unitronics programmable logic controllers (PLCs) used by many organizations in the water sector as well as other industries like energy, food and beverage manufacturing, and healthcare. The devices are often exposed to the internet due to the remote nature of their control and monitoring functionalities, authorities and cybersesecurity researchers have said.

The PLCs may be rebranded under the names of different manufacturers and companies, officials noted.

So far the potential damage appears to be limited. Goldstein and other officials repeatedly told reporters that the federal agencies have seen “no access to operational systems as far as water facilities,” and have not seen any impact on the provision of safe drinking water.

Officials at the attacked facility in Pennsylvania told a local news outlet that the hackers did not get access to anything in the actual water treatment plant other than a pump that regulates pressure to elevated areas of the system.

The federal agencies said hackers affiliated with the IRGC have compromised default credentials in Unitronics devices since at least November 22 and explicitly claim that their motivation is to target anything associated with Israel.

Officials said they remain concerned that hackers — both of the criminal and nation-state variety — may use access to the devices as a way to gain deeper network level access that would allow them to cause physical damage to equipment or worse.

When asked whether he was concerned if this was the start of a larger campaign of state-backed hackers targeting Israeli companies and products, Goldstein said authorities are “not yet seeing an additional manifestation of that trend here in the U.S.” but noted that it's “something that the U.S. government is acutely concerned about and is working closely with our partners to ensure that we rapidly are able to detect every activity.”

EPA cybersecurity concerns

The campaign comes on the heels of a headline-filled year for cybersecurity in the water industry.

The Biden administration kicked off its National Cybersecurity Strategy efforts in March with a memo from the EPA that asked states to include cybersecurity in its audits of public water systems.

While that measure was paired with more cybersecurity funding and other initiatives, it quickly came under fire from Republican lawmakers and industry groups that eventually sued in federal court and got it withdrawn in October. The fiasco reignited concerns — aired when the national strategy was released — that any cybersecurity measure that was not included in a bill passed by Congress would either have to be voluntary or face crippling lawsuits.

On the press call on Monday, EPA official David Travers said the current campaign “underscores the importance of water systems adopting basic cybersecurity measures” and sought to dispel the notion that cyber protections are too costly — the primary claim used by industry groups and lawmakers who got the EPA memo rescinded.

When asked by The Messenger about whether the rescinded EPA memo hindered efforts to promote basic cybersecurity measures, Travers reiterated that the agency “supports addressing implementing such requirements in some form for the water sector.”

“I think what these incidents underscore for us is that without cybersecurity requirements and oversight, our nation's water and wastewater system and the communities they serve will continue to be vulnerable,” he said.

The EPA currently offers an array of tools and trainings to utilities and will send officials to utilities for cybersecurity assessments if asked. The official will also create risk mitigation programs to help utilities improve their overall cybersecurity posture.

“The issue for the water sector is both a limited technical capacity within the sector to address cybersecurity and a lack of a cybersecurity culture,” he said.

“According to a recent industry survey from 2021 of water and wastewater systems, of those who responded to the survey, just about one in five utilities have fully implemented cyber protection efforts. We need to do better than that.”