Security news that informs and inspires

CISA: Threat Actors Targeting Unitronics Devices Used in Water Facilities


CISA is urging water facilities in the critical infrastructure sector to change the default passwords on their Unitronics devices and disconnect them from the internet after a water treatment facility in Pennsylvania was hit by a cyberattack.

The U.S. government is warning that threat actors are targeting security weaknesses in a Unitronics device that is used to control various processes in water and wastewater treatment facilities.

The warnings come after reports of a cyberattack late last week on the Municipal Water Authority of Aliquippa, which is in western Pennsylvania and includes a drinking water system that serves 6,615 customers and a sanitary sewer system supporting 5,321 customers. According to an alert by the Water Information Sharing and Analysis Center (WaterISAC), threat actors were able to compromise a Unitronics device in the facility in order to gain control of a remote booster station that served two townships.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in its Tuesday alert, the water authority immediately took the system offline and switched to manual operations, and there is no known risk to the municipality’s drinking water or water supply.

“The administration is aware of a reported intrusion into a Pennsylvania water utility,” said Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA in a statement. “We are closely engaged with sector and interagency partners to understand this evolving situation and provide any necessary support or guidance. Every organization potentially impacted by a cyber intrusion should immediately report to CISA or the FBI.”

CISA’s alert focuses on the device at the center of the attack, a Unitronics programmable logic controller (PLC), which it said threat actors are actively targeting. These devices control different stages of wastewater management, like turning on and off the pumps used to fill tanks or reservoirs, gathering compliance data for monthly regulation reports, and monitoring the flow pace of chemicals to make sure it stays within regulatory standards.

CISA's alert doesn’t say exactly how threat actors accessed the device, but the agency said they likely exploited security weaknesses like poor password hygiene or the PLC being exposed to the internet. CISA urged organizations to change the default password on Unitronics devices and disconnect the PLC from the internet.

“If remote access is necessary, implement a Firewall/VPN in front of the PLC to control network access to the remote PLC,” according to CISA. “A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication. Unitronics also has a secure cellular based longhaul transport device that is secure to their cloud services.”

Organizations should also set up MFA alerts for remote access to the operational technology network (including from the IT network and from external networks) and back up logic and configurations on the Unitronic devices to help with fast recovery if an incident does occur. Finally, CISA recommended that organizations rely on a TCP port that's not TCP 20256, which threat actors are actively targeting (after figuring out that it is a port that is associated with Unitronics devices) and update their PLC to the most recent version provided by Unitronics.

Water Facility Security Problems

Water and wastewater systems are considered to be a critical infrastructure sector by the U.S. government, and security issues in these facilities are a major concern because they could potentially threaten the various functions that these plants rely on, like providing clean water and managing communities’ wastewater.

Cybersecurity incidents in the critical water sector are rare but not unheard of, and several incidents over the past years have highlighted the dangers that can stem from unauthorized access to these types of systems.

Earlier this year, the Department of Justice (DoJ) charged a former water treatment facility contractor for allegedly gaining unauthorized access to the computer network for the Discovery Bay, Calif.-based facility and uninstalling its main operational and monitoring system, for instance. And in 2021, a 22-year-old man pleaded guilty to accessing a Kansas public water system’s computers in 2019 in order to shut down the processes behind the facility’s cleaning and disinfecting procedures.

U.S. government agencies have also faced challenges in trying to figure out how to assess, develop and implement baseline security requirements in the water sector, and earlier this year a White House advisory group called for a water industry national standard for cybersecurity “that is affordable and attainable by all utilities.”

At the same time, water facilities in the public sector face an array of roadblocks that other industries don’t have to deal with when it comes to cybersecurity. They must compete for talent with the private sector, for instance, and local critical infrastructure utilities also lack access to various resources and budgetary assistance in this area.

Jennifer Lyn Walker, Director of Infrastructure Cyber Defense for WaterISAC, said there is an increasing awareness of cybersecurity threats in the water sector, but “we have a ways to go.”

“There are so many smaller systems that we (the collective ‘we’ as in other sectors and government organizations) have been unable to reach,” she said. “Which is why I constantly ask the larger/more mature utilities to reach out to their neighboring rural water and wastewater utilities and essentially take them under their wing. Threat actors abuse trust relationships to break down our defenses, we need to leverage trust relationships to build up our defenses (including those of our neighbors). My ask is for them to be a good neighbor and make cybersecurity part of the conversation.”