Identifying Threats to Utilities and Services

Must read #CybersecurityAdvisory for operational technology owners and operators. For a little over a week, Iranian IRGC actors using the persona ‘CyberAv3ngers’ have been targeting and compromising Unitronics PLCs, most commonly used in the water and wastewater sector, using default credentials. The PLCs may be rebranded and appear as different manufacturers and companies. FBI Cyber Division and our partners at CISA, NSA, EPA, and the Israel National Cyber Directorate are providing urgent recommendations and mitigation guidance. The Iranian actors compromised Unitronics Vision Series PLCs with human machine interfaces that were publicly exposed to the internet with default passwords and by default are on TCP port 20256. The compromise is centered around defacing the controller’s user interface and may render the PLC inoperative. With this type of access, deeper device and network level accesses are available and could render additional, more profound cyber physical effects on processes and equipment. IOCs can be found at https://lnkd.in/eh4bkD3M & https://lnkd.in/eRs9wvJc Immediate steps to prevent the attack: ·      Change all default passwords on PLCs and HMIs and use a strong password. Ensure the Unitronics PLC default password is not in use. ·      Disconnect the PLC from the public-facing internet. If you believe you have been targeted or compromised, reach out to your local FBI Field Office today (https://lnkd.in/esFNaZ4Y). For more information about threats from Iran see the FBI’s Iran Threat page (https://lnkd.in/edHf8YXU) and CISA’s Iran Threats and Advisories page (https://lnkd.in/e9i3qDdE). Full Cybersecurity Advisory can be found below and at https://lnkd.in/eNfsZH9J . #cyber #cybersecurity #FBI #nationalsecurity #cyberthreatintelligence #cyberintelligence #PLC #HMI 

'According to the EPA, 90% of the nation’s community water systems are small, public systems bringing water to 10,000 or fewer customers. As water industry representatives and lawmakers have both advised, they often lack adequate budgets for new equipment and technology, or to retain cybersecurity personnel or services. They consequently face the escalating threat environment without the expertise and technologies to fully address cybersecurity risk, including threats to their operational technology, such as the industrial control systems that operate water pumping stations. Government and industry must coordinate more closely than ever to protect critical infrastructure and services, including water. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI, National Security Agency, Environmental Protection Agency and other agencies routinely share advisories on vulnerabilities and guidance with industry and other stakeholders. Yet water is still at risk. Unlike other critical infrastructure sectors that have well-developed cybersecurity standards, such as our electrical systems that are consistently targeted and lacking structures in place to fund investments, the water sector is only beginning its cybersecurity journey. Many water facilities lack the financial and workforce capacity to even prioritize and act on information about threats, let alone build defensible systems.' https://lnkd.in/ga2ijfC2

In an unsophisticated cyber-attack that spanned across multiple U.S. states, hackers affiliated with Iran targeted the Municipal Water Authority of Aliquippa in Pennsylvania.   This breach, occurring on November 25, 2023, compromised a Programmable Logic Controller (PLC) made by Unitronics, a key device in the water authority's pumping booster station. The choice of target is deliberate, as the hackers left an electronic note indicating a preference for Israeli-made components.   This incident is not isolated to the water sector. The same type of PLCs, critical in managing various stages of water and wastewater treatment, are used across industries including energy, healthcare, and food and beverage manufacturing. These devices play a crucial role in regulating essential processes like fluid flow, pressure, and temperature control.   The hacking group, known as “Cyber Av3ngers,” is connected to Iran’s Islamic Revolutionary Guards Corps, a group designated as a terrorist organization by the U.S. in 2019. Their focus on Israeli-made components has led to a series of targeted attacks since November 22, including 10 water treatment facilities in Israel.   Their tag line is “Every equipment made in Israel is Cyber Av3ngers legal target.”   An investigation into the breach revealed that the PLC was accessed due to cybersecurity vulnerabilities, including weak password security (defaults are rarely reset) and internet exposure. This breach sheds light on the broader issue of cybersecurity in critical infrastructure sectors. In the U.S., a significant portion of this infrastructure is privately owned and often relies on self-regulation for cybersecurity, leading to calls for more stringent government-imposed regulations.   The incident also occurred in the wake of a federal appeals court decision that led the Environmental Protection Agency (EPA) to rescind a rule mandating cybersecurity testing in regular audits of U.S public water systems. This decision, influenced by a case involving Missouri, Arkansas, and Iowa, along with a water utility trade group, raises concerns about the robustness of cybersecurity measures in vital public utilities.   In response, the Biden administration has been talking about strengthening the cybersecurity of critical infrastructure. But, the extent to which vital industries implement these regulations is sketchy in that almost all of them are privately owned and operated with very little oversight. These breaches underscore the threat from nation state adversaries and our continuing response to them. And, why Foreign Policy is today far more important than many domestic issues that occupy our daily media reporting.   Without a dramatic improvement in the protection and detection we provide for critical infrastructure against even the most unsophisticated cyber threats, we are essentially writing our own obituary.   We could start by resetting default passwords.   Let’s get smarter.   https://cybered.io/ The Future. Now.

Water and Cybersecurity Recently I was asked to lend eyes and ears to cybersecurity related matters pertaining to water systems management companies. I am happy to see the many request to understand how to better secure the control systems and IT systems that these critical infrastructure organizations rely on. The recent cyber attacks targeting municipal water organizations have been ransomware centric but have led to temporarily shutting down the control systems networks in some cases. There is federal money and state and local funding that can assist these organizations with conducting National Institute of Standards and Technology (NIST) 800-53 assessments. This is a great first step. In the advisory support work I have done I have seen steps in the right direction needed to increase cyber resilience. Common gaps I have observed include: Backup and restore deficiencies, for instance all backups are online or in the cloud but not immutable. Lack of robust encryption An over reliance on “air gap” networks that fail the test when it comes to vendor fire are or equipment upgrades. HMI’s that are not password or lock out controlled, lack of multi factor and the ability to validate firmware versions and vulnerabilities. Minimal funding for pen testing, post risk assessment mitigation, and continuous monitoring. #OT #ICS Alan B. Levan | NSU Broward Center of Innovation US Environmental Protection Agency (EPA) WATER ISAC Maverc Technologies https://lnkd.in/eJ2aDtdG

Exploitation of Unitronics PLCs used in Water and Wastewater Systems CISA is responding to active exploitation of Unitronics #programmablelogiccontroller (#PLC) used in the Water and Wastewater Systems (#WWS) Sector. #Cyberthreat actors are targeting PLCs associated with WWS facilities, including an identified Unitronics PLC, at a U.S. #water facility. In response, the affected municipality’s water authority immediately took the system offline and switched to manual operations—there is no known risk to the municipality’s drinking water or water supply. WWS Sector facilities use PLCs to control and monitor various stages and processes of water and #wastewater treatment, including turning on and off pumps at a pump station to fill tanks and reservoirs, flow pacing chemicals to meet regulations, gathering compliance data for monthly regulation reports, and announcing critical alarms to operations. #Security #Cybersecurity #Vulnerabilities #Infrastructure #Industrial #OT