On November 28, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) issued a critical alert regarding the exploitation of Unitronics programmable logic controllers (PLCs) within the Water and Wastewater Systems (WWS) Sector. This warning comes as cyber threat actors attempt to compromise PLCs that are integral to the operation of facilities responsible for ensuring clean water supply and effective wastewater management.
The alert specifically identified a case involving a Unitronics PLC at a water facility in the United States. In response to the threat, the local water authority promptly took the system offline and reverted to manual operations. However, officials confirmed, "there is no known risk to the municipality’s drinking water or water supply," reassuring the public amid rising concerns over cybersecurity vulnerabilities.
"there is no known risk to the municipality’s drinking water or water supply,"
PLCs are essential for controlling and monitoring various processes in water treatment, including regulating pump operations, chemical dosing, compliance data collection, and managing critical alarms for facility operations. The compromise of these systems poses significant risks to the integrity of water services, jeopardizing the delivery of safe drinking water and the management of wastewater.
Investigations revealed that cyber attackers likely gained access to the Unitronics Vision Series PLC through exploitable cybersecurity deficiencies, such as weak password protocols and direct exposure to the internet. CISA is urging organizations within the Water and Wastewater Sector to take decisive security actions. "Disconnect the PLC from the open internet," said a CISA representative. If remote access is required, they recommend controlling network access more strictly.
"Disconnect the PLC from the open internet,"
To enhance security, CISA suggests implementing an allowlist of IP addresses for those permitted to access the PLC and placing a firewall or VPN in front of the PLC to manage remote access. "A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support it," the representative added, encouraging facilities to consider utilizing secure long-haul transport devices offered by Unitronics for cloud services.
"A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support it,"
As of December 19, 2023, CISA has made additional resources available. Their guidance includes updates to the latest software versions for Unitronics PLCs and a detailed advisory titled 'How Manufacturers Can Protect Customers by Eliminating Default Passwords.' This advisory aims to systematically eliminate common security oversights that leave facilities vulnerable to attacks.
Partnerships between CISA and WWS Sector entities have fostered the development of various tools and resources designed to bolster cybersecurity across water utilities. The American Water Works Association, WaterISAC Resource Center, and the EPA's cybersecurity initiatives for the water sector all provide crucial information and support for improving defenses against cyber threats.
CISA has also made it clear that organizations facing anomalous cyber activity can report these instances 24/7 to report@cisa.gov or call the national hotline at 1-844-Say-CISA (1-844-729-2472). This proactive reporting is essential for recognizing and mitigating emerging threats in real time.
As cybersecurity continues to evolve, the ongoing collaboration between governmental agencies and sector partners will play a key role in safeguarding vital water systems. CISA urges facilities to prioritize the implementation of robust cybersecurity measures to counteract the ever-present risks posed by cyber actors targeting critical infrastructure.