Action may be required: If your utility uses Unitronics UniStream integrated PLC/HMI products, please promptly review the latest advisory and address accordingly.

It’s not uncommon for security researchers (and threat actors) to delve further into various vulnerabilities of components and software. This seems to hold true as Claroty’s Team82 was recently motivated to research the attack surface of the UniStream PLC series, Unitronics’ current generation of integrated PLCs and HMIs. Yes, the same Unitronics equipment used in the water and wastewater systems sector that was targeted by anti-Israeli CyberAv3ngers who were able to deface insecure internet-exposed components via default passwords.

According to Team82, among its feature improvements, the UniStream series includes a native authentication schema that Team82 was able to bypass.

• Unitronics has updated its UniStream integrated PLC/HMI products to address critical vulnerabilities disclosed by Team82.
• The vulnerabilities could allow an attacker to bypass native authentication and authorization features in the product and can be chained to gain remote code execution.
• Unitronics urges its users to update UniStream OS to version 1.35.47 or later and released an advisory.
• Previous attacks against Unitronics’ Vision series of PLCs were disclosed in November. The PLCs were compromised in high-profile attacks against Israeli and American water treatment facilities. The vulnerabilities used in those attacks were addressed by the vendor.
• Israel National Cyber Directorate has published an advisory that includes mitigation and remediation information.

Most notably, during its research, Team82 uncovered eight vulnerabilities that not only bypassed the authentication and authorization features in the UniStream PLCs, but also were able to be chained to gain remote code execution on the device. Using publicly available internet scanning services, Team82 identified around 480 internet-exposed and vulnerable UniStream devices. It should be noted that these devices are not preconfigured to be reachable online, and that these are configuration mistakes on the part of users, likely opening ports on the device for integrator access or other remote support.

As a reminder, it is important to:

• Assess all PLCs in your environment for insecure configurations (e.g., exposed to the internet and using default passwords and ports).
• Check for and change default passwords across all PLCs. As a generally recommended practice, default passwords should be changed on every device or component active in your networks (OT or IT).
• Refrain from connecting (all) PLCs to the internet. If remote access is not necessary, a PLC connected to the internet represents an unnecessary risk to safety, availability, and control of your SCADA environment.
  • However, if remote access is absolutely necessary, it is important that at a minimum, it securely sits behind a firewall and/or requires a VPN to access.
  • Additionally, MFA should be implemented, at the very least on the VPN (if the PLC doesn’t support MFA).
• Change the PLC default communications port. If possible, utilize an alternate TCP port for communications to the PLC.

For more details on the vulnerabilities, including a video demonstrating the compromise, visit Claroty.

Additional PLC security resources:

• ICS/SCADA Resilience – Many Struggle Securing PLCs, but They Don’t Have To | WaterISAC
• Top 20 Secure PLC Coding Practices | PLC-Security