CISA warns of attacks on Unitronics tool used by water utilities, wastewater systems

The federal government is warning that hackers are targeting a specific tool used by water and wastewater systems after two utilities announced attacks this week.

The Cybersecurity and Infrastructure Security Agency (CISA) said it is responding to the active exploitation of Unitronics programmable logic controllers (PLCs) used by many organizations in the water sector.

CISA linked the advisory to a notice from the Water Information Sharing and Analysis Center (WaterISAC) about an attack on a water utility in Pennsylvania announced on Monday.

The hackers — who said they are attacking water and energy facilities using products from Israel — forced the Municipal Water Authority of Aliquippa to take systems offline and switch to manual operations in order to remove any risk to the municipality's water or water supply.

Water and wastewater systems (WWS) “use PLCs to control and monitor various stages and processes of water and wastewater treatment, including turning on and off pumps at a pump station to fill tanks and reservoirs, flow pacing chemicals to meet regulations, gathering compliance data for monthly regulation reports, and announcing critical alarms to operations,” CISA explained.

PLCs are industrial control systems (ICS), a broad category of technology that plays a crucial role in critical infrastructure.

“Attempts to compromise WWS integrity via unauthorized access threaten the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities,” CISA said.

CISA said it is likely the hackers accessed the Unitronics Vision Series PLC by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet.

Attacks on PLCs and other operational technology systems are not new or uncommon. Since the onset of Russia’s invasion of Ukraine, there have been several instances where malware like Triton and Incontroller have illustrated that real-world threat actors are both capable of and interested in causing physical damage through cyberattacks.

CISA urged utilities to change default passwords, require multifactor authentication for all remote access to the operational technology network, disconnect PLCs from the open internet or install firewalls and VPNs if remote access is necessary.

Organizations should also back up the logic and configurations on any Unitronics PLCs to enable fast recovery. CISA warned that organizations should become familiar with factory resetting so that in the event of a ransomware attack, they will know how to restore configurations.

Another water utility serving 2 million people in North Texas said Tuesday that it is also dealing with a cybersecurity incident that caused operational issues, but officials did not say if it was related to issues with Unitronics PLCs.

CISA noted that it has worked to provide resources and tools to water utilities through partnerships with the EPA, WaterISAC and the American Water Works Association (AWWA) — a trade group that drew headlines earlier this year for helping force the EPA to rescind efforts to improve water utility cybersecurity.

Kevin Morley, a representative for AWWA, told Recorded Future News that the organization has advised its members Tuesday about the attacks and “urged them to be vigilant, and reminded them of the cyber resources available to them from AWWA.”

‘Ticking time bomb’

Christopher Warner, an operational technology cybersecurity expert with GuidePoint Security, explained that disruptive attacks targeting the integrity of these crucial processes can lead to significant repercussions, obstructing Water and Wastewater treatment facilities in their efforts to provide reliable access to clean, potable water, he said.

Warner noted that Unitronics PLCs “are deployed in automated parking systems, packaging and palletizing, energy production, agriculture, food, HVAC, dairy, chemical, wastewater, boiler industries, plastic extrusion, and other industrial sectors.”

“The fact that elements of our critical infrastructure are connected to the internet with default passwords as basic as ‘1111’ is a ticking time bomb,” said Nozomi Networks’ Chris Grove, who works with several industrial organizations on cybersecurity.

“It was inevitable that a threat actor would exploit such a glaring vulnerability.”

Grove added that sectors like water and wastewater have long been neglected and have underfunded cybersecurity protections, leaving them vulnerable.

Two other experts — Tenable’s Marty Edwards and OPSWAT’s Mark Toussaint — said the incident was a glaring example of why government regulation is needed to ensure that public services have an adequate level of cybersecurity protections.

“Mitigating cybersecurity risks in ICS systems can present a challenge for some organizations, and particularly in Water and Wastewater Systems since they are often smaller municipalities with limited resources,” Toussaint said. “This industry is also not regulated by enforceable cybersecurity requirements, making it more vulnerable.”

The AWWA’s Morley said the group has shared a range of tools and guidance with members on how to protect their systems.

While the organization has previously fought against EPA cybersecurity efforts, Morley said the AWWA “supports the need for strong cybersecurity oversight in the water sector and recommends Congress authorize a collaborative model that engages utilities in developing cybersecurity requirements with oversight from the U.S. Environmental Protection Agency (EPA).”