We associate water with basic human hygiene – so it’s ironic and disconcerting when employees at water authorities and other critical infrastructure facilities violate the fundamental principles of cyber hygiene, potentially exposing citizens to danger.
A recent series of digital compromises affecting local U.S. water plants should serve as a reminder that getting the simple stuff right – like secure system configurations, vulnerability management, password management and authentication – isn’t always so obvious unless cyber responsibility is ingrained within your organization.
According to multiple U.S. government agencies, an Iranian threat actor compromised an unspecified number of water and wastewater facilities in November and December 2023 via programmable logic controller (PLC) devices from Israel-based automation and controls manufacturer Unitronics.
One victim of the politically-inspired act was identified in reports as the Municipal Water Authority of Aliquippa in Western Pennsylvania. A Nov. 28, 2023 alert from the Cybersecurity and Infrastructure Security Agency (CISA) referred to an unnamed water authority, noting that the facility promptly took the affected system offline and the water supply was not impacted.
A follow-up Dec. 1 advisory from CISA, the FBI, National Security Agency, Environmental Protection Agency and Israel National Cyber Directorate provided more context, adding that the attacker’s compromise campaign is “centered around defacing the controller’s user interface and may render the PLC inoperative. With this type of access, deeper device and network level accesses are available and could render additional, more profound cyber physical effects on processes and equipment.”
One might think malicious hackers would need to circumvent some especially robust security measures to comprise a critical infrastructure facility. But not so – CISA’s alert suggests that a lack of common best practices likely left the door open to the perpetrators, whom the U.S. has identified as the CyberAv3ngers, an advanced persistent threat group affiliated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC).
“The cyber threat actors likely accessed the affected device… by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet,” the alert stated. “Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices.”
CNN reported on Dec. 1 that fewer than 10 water plants in the U.S. were affected by the campaign. And while the end result was nothing too dire, such incidents should nonetheless ring alarm bells and encourage more vigilance among OT managers, engineers and day-to-day workers. Unfortunately, a common gripe among cybersecurity leaders is that the personnel inside OT/industrial environments are not especially sympathetic to their cause. That’s because the people running these facilities tend to favor production and operational continuity over security, since imposed restrictions on system access can slow down business.
The flaw with this philosophy is that when a security issue does strike, the effects on operations can be enormously detrimental. To get this message across, organizations would be wise to extend their cybersecurity awareness programs to their industrial operations, even if they need to tailor the lesson plans and expectations around the needs of an OT environment.
A good place to start would be to emphasize the cyber hygiene recommendations that CISA set forth in its recent alert and advisory. Key suggestions included replacing default passwords with stronger credentials, enforcing multifactor authentication, eliminating or limiting exposure to the open Internet, placing controls on network access to remote PLCs, backing up PLC logic and configurations, and regularly updating device versions. Unitronics users are also advised to avoid default port TCP 20256 if possible, as the attackers are actively targeting it.
