In a chilling display of cyber threats impacting public safety, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently disclosed a significant breach targeting the Municipal Water Authority of Aliquippa in western Pennsylvania. This cyber offensive, orchestrated by the Iranian-backed hacktivist group Cyber Av3ngers, exposed vulnerabilities in Unitronics programmable logic controllers (PLCs) and highlighted the critical importance of robust cybersecurity measures in safeguarding vital infrastructure.
The attack on the water authority was not just a breach of technological defenses but a direct threat to public safety. Cyber Av3ngers exploited a critical vulnerability (CVE-2023-6448) in Unitronics Vision Series PLCs, gaining control of the booster station responsible for regulating water pressure in two Pennsylvania townships. The attackers capitalized on lax password security, as the affected PLC was still using the default and easily guessable password, “1111.” Additionally, the PLC was directly connected to the public internet, providing a vulnerable entry point for malicious actors.
Key Factors Contributing to the Attack
- Lax Password Security:
- The use of default and easily guessable passwords poses a significant risk. System administrators are urged to replace default Unitronics PLC passwords immediately, with a strong emphasis on avoiding common choices like “1111.”
- Public Internet Exposure:
- Direct connections to the internet without proper security measures invite cyber threats. Cybersecurity experts recommend severing direct connections of PLCs from the open internet. If remote access is necessary, employing firewalls or VPN setups can regulate access and enhance security.
- Critical Vulnerability (CVE-2023-6448):
- The exploited security flaw, tracked as CVE-2023-6448, underscored the need for proactive measures. With a critical CVSS score of 9.8, this vulnerability allows unauthenticated attackers with network access to take complete control of the PLC and manipulate critical infrastructure functions.
In response to this incident, cybersecurity experts emphasize the following measures to fortify defenses against similar threats:
- Replace Default Passwords:
- Immediately replace default Unitronics PLC passwords, steering clear of easily guessable choices.
- Implement Multi-Factor Authentication (MFA):
- Embrace MFA for all remote accesses within Operational Technology (OT) networks, extending this protocol to IT and external networks.
- Secure Remote Access:
- Sever direct connections of PLCs from the open internet. If remote access is indispensable, employ firewalls or VPN setups to regulate and secure access.
- Regular Backups:
- Conduct regular backups of logic and configurations to ensure rapid recovery in the event of ransomware attacks.
- Port Management:
- Abandon the default TCP port 20256, a known target for cyber actors. Consider switching to an alternate TCP port and incorporate PCOM/TCP filters for augmented security.
- Firmware Updates:
- Diligently update PLC/HMI firmware to the latest version provided by Unitronics to patch vulnerabilities and enhance overall security.
The cyber attack on the Municipal Water Authority of Aliquippa serves as a stark reminder of the vulnerabilities inherent in critical infrastructure. By adopting proactive cybersecurity measures, including robust password practices, secure remote access protocols, and regular system updates, organizations can significantly mitigate the risks associated with cyber threats. The lessons learned from this incident should guide future efforts to bolster the resilience of critical infrastructure against evolving cyber challenges.
