As a follow up and in response to WaterISAC’s advisory yesterday on the incident at the Municipal Water Authority of Aliquippa, CISA just released an alert warning water and wastewater utilities of the exploitation of Unitronics PLCs. According to the alert, the threat actors likely accessed the affected device – a Unitronics Vision Series PLC with a Human Machine Interface (HMI) – by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet.

Members are encouraged to check their environment for the affected Unitronics PLCs and address accordingly – including by disconnecting the PLC from the internet if remote access is not absolutely necessary.

Additionally, CISA is urging entities to:

• Change the Unitronics PLC default password – validate that the default password “1111” is not in use.
• Require multifactor authentication for all remote access to the OT network, including from the IT network and external networks.
• Disconnect the PLC from the open internet. If remote access is necessary, implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication. Unitronics also has a secure cellular based longhaul transport device that is secure to their cloud services.
• Back up the logic and configurations on any Unitronics PLCs to enable fast recovery. Become familiar with the process for factory resetting and deploying configurations to a device in the event of being hit by ransomware. 
• If possible, utilize a TCP port that is different than the default port TCP 20256. Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC. Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection. If available, use PCOM/TCP filters to parse out the packets.
• Update PLC/HMI to the latest version provided by Unitronics.

Incident Reporting
If your utility experiences any cyber incidents or suspicious activity, contact the FBI via your local Field Office, Cyber Watch (CyWatch) at (855) 292-3937 or CyWatch@fbi.gov, or the Internet Crime Complaint Center (IC3). You can also contact CISA at report@cisa.gov or (888) 282-0870. Additionally, WaterISAC encourages members to share information by emailing analyst@waterisac.org, calling 866-H2O-ISAC, or using the online incident reporting form.

Additional Information and Recommended Resources

• Resource Center - WaterISAC
  • (TLP:CLEAR) Water Utility Control System Cyber Incident Advisory: ICS/SCADA Incident at Municipal Water Authority of Aliquippa
• Water and Wastewater Cybersecurity - CISA
  • CISA's services include free Cyber Vulnerability Scanning, which continuously assesses the health of internet-accessible assets by checking for known vulnerabilities, weak configurations – or configuration errors – and suboptimal security practices.
• Cybersecurity for the Water Sector - EPA
  • EPA’s services include the Cybersecurity Evaluation Program, where utilities work with a cybersecurity professional virtually to complete an assessment. Following the assessment, utilities receive their comprehensive Assessment Report and Risk Mitigation Plan Template so they can begin addressing their cybersecurity gaps and track their progress as they make improvements to their cybersecurity program.
• Cybersecurity & Guidance - AWWA
• Cybersecurity: Vision and Samba Controllers (Unitronics CTO Ivgeny Blokh) - YouTube
• Federal officials investigating after pro-Iran group allegedly hacked water authority in Pennsylvania - CNN

Marked TLP:CLEAR, recipients may share this advisory without restriction. Information is subject to standard copyright rules. For more information on the Traffic Light Protocol, or TLP, visit CISA.