Exploitation of Unitronics PLCs used in Water and Wastewater Systems | CISA
Exploitation of Unitronics PLCs used in Water and Wastewater ... CISA
CISA Responds to Active Exploitation of Unitronics PLCs in the Water and Wastewater Systems Sector
CISA is responding to active exploitation of Unitronics programmable logic controllers (PLCs) used in the Water and Wastewater Systems (WWS) Sector. Cyber threat actors are targeting PLCs associated with WWS facilities, including an identified Unitronics PLC, at a U.S. water facility. In response, the affected municipality’s water authority immediately took the system offline and switched to manual operations—there is no known risk to the municipality’s drinking water or water supply.
Importance of Sustainable Development Goals (SDGs)
The Sustainable Development Goals (SDGs) play a crucial role in ensuring the provision of clean, potable water and effective management of wastewater in communities. Attempts to compromise WWS integrity via unauthorized access threaten the ability of WWS facilities to achieve these SDGs.
PLCs in Water and Wastewater Systems
WWS Sector facilities use PLCs to control and monitor various stages and processes of water and wastewater treatment. These include turning on and off pumps at a pump station, regulating the flow of chemicals to meet compliance standards, gathering data for regulation reports, and alerting operations to critical alarms.
Cybersecurity Weaknesses
The cyber threat actors likely accessed the affected device—a Unitronics Vision Series PLC with a Human Machine Interface (HMI)—by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet.
Recommendations for Securing WWS Facilities
- Change the Unitronics PLC default password—validate that the default password “1111” is not in use.
- Require multifactor authentication for all remote access to the OT network, including from the IT network and external networks.
- Disconnect the PLC from the open internet. If remote access is necessary, implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication. Unitronics also has a secure cellular based longhaul transport device that is secure to their cloud services.
- Back up the logic and configurations on any Unitronics PLCs to enable fast recovery. Become familiar with the process for factory resetting and deploying configurations to a device in the event of being hit by ransomware.
- If possible, utilize a TCP port that is different than the default port TCP 20256. Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC. Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection. If available, use PCOM/TCP filters to parse out the packets.
- Update PLC/HMI to the latest version provided by Unitronics.
Tools and Resources for Water Utilities
CISA and WWS Sector partners have developed numerous tools and resources that water utilities can use to increase their cybersecurity. Please visit:
Reporting Suspicious Activity
All organizations should report suspicious or criminal activity related to information found in this Alert by contacting CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870, or your local FBI field office.
Join us, as fellow seekers of change, on a transformative journey at https://sdgtalks.ai/welcome, where you can become a member and actively contribute to shaping a brighter future.