Canada, US warn of hacks into Israeli-made logic controllers

0
hacked system stock graphic
The water authority reported the actors were able to gain control of the remote booster station that monitors and regulates pressure for two townships, but stressed there is no known risk to the drinking water or water supply. Photo Credit: MrPanya, stock.adobe.com

A group of U.S. agencies has issued a joint statement warning of recent cyberattacks by an Iranian military organization “actively targeting and compromising” Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) commonly used in water and wastewater systems.

The Municipal Water Authority of Aliquippa, Pennsylvania, shared a photograph of a hacked human-machine interface from a compromised Unitronics PLC at a pump boosting station on November 25. The screen displayed the hacker’s electronic calling card: “Every equipment made in Israel is Cyber Av3ngers legal target.” 

The authority reported the actors were able to gain control of the remote booster station that monitors and regulates pressure for two townships, but stressed there is no known risk to the drinking water or water supply.

A joint statement from the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Environmental Protection Agency (EPA), and the Israel National Cyber Directorate, suggested there have been several PLC hacking victims targeted across multiple U.S. states. The authorities linked the cyberattacks to the Iranian Government Islamic Revolutionary Guard Corps.

Subscribe to our Newsletter!

The latest environmental engineering news direct to your inbox. You can unsubscribe at any time.

“The PLCs may be rebranded and appear as different manufacturers and companies,” the joint statement warned. 

Israel-based Unitronics has not made any public statements about other facilities with its equipment that may have been hacked or could be vulnerable.

In a statement following the Aliquippa hack, the Canadian Centre for Cyber Security also issued an alert about the potential exploitation of Unitronics PLCs. Sami Khoury, head of the Canadian Centre for Cyber Security, issued a statement on Twitter, however, which suggested that “the risk to industrial control systems accessible from the Internet is not limited to Unitronics devices or the water and wastewater systems sector.”

Khoury added that, “connecting industrial control systems directly to the internet without appropriate security controls is a huge risk.”

The recent attacks prompted several U.S. members of Congress to write to the Department of Justice and urge them to investigate the Aliquippa incident.

“Any attack on our nation’s critical infrastructure is unacceptable. If a hack like this can happen here in Western Pennsylvania, it can happen elsewhere in the United States,” states a joint letter from Senators Robert Casey Jr. and John Fetterman, as well as U.S. Representative Chris Deluizio. “Folks in Pennsylvania and across the country deserve peace of mind that basic infrastructure such as their drinking water is safe from nation-state adversaries and terrorist organizations.”

The U.S.-based non-profit Water Information Sharing & Analysis Center, better known as WaterISAC, issued an advisory and guidance to water utilities following the Aliquippa hacking incident.   

Echoing the security protocols suggested by the authority agencies in terms of increased password protection, WaterISAC went further in its recommendations for safe use of Unitronics devices.

It advised utilities to utilize a TCP port other than the default port TCP 20256. Additionally, users are advised to update the device’s PLC/HMI to the latest version provided by Unitronics, and implement a firewall or VPN in front of the programmable logic controller to control network access to the remote system.

WaterISAC stated that Cyber Av3ngers claims to be an active group focused on targeting Israeli water and energy sites — including 10 water treatment stations in Israel as of October 30, according to their X page.  

The cyberattack came less than a month after a federal appeals court decision prompted the Environmental Protection Agency to rescind its plan to mandate cybersecurity testing within the water utilities sector. The decision followed legal challenges by water associations that described the plan’s measures as costly and flawed.

No posts to display

LEAVE A REPLY

Please enter your comment!
Please enter your name here