US Government Warns of Cyberattacks Targeting Water Systems

In a stark warning Joe Biden’s national security adviser, Jake Sullivan, sent a letter to state governors advising them of two recent and ongoing threats to the United States’ water and wastewater systems from Iranian and Chinese affiliated threat actors.

The letter, co-signed by Environmental Protection Agency (EPA) administrator Michael Regan, warns how these attacks have the potential to disrupt the critical lifeline of clean and safe drinking water. In a message to the governors it highlights how “We need your support to ensure that all water systems in your state comprehensively assess their current cybersecurity practices to identify any significant vulnerabilities, deploy practices and controls to reduce cybersecurity risks where needed, and exercise plans to prepare for, respond to, and recover from a cyber incident.”

Iranian Affiliated Cyber Actors ‘CyberAv3ngers’ Targeted Water Facilities

Cyber actors linked to the Iranian Government's Islamic Revolutionary Guard Corps (IRGC) have conducted cyber attacks on critical infrastructure assets in the United States, specifically targeting drinking water systems. The Iranian affiliated cyber actors, targeted and disabled a common type of operational technology (Unitronics Programmable Logic Controllers - PLCs) used at water facilities. This was the case when the Municipal Water Authority of Aliquippa was attacked in November 2023 by the Iranian-backed group known as CyberAv3ngers where the facility had neglected to change a default manufacturer password.

While the water supply remained unharmed at the targeted facility, a breach in the PLCs controlling the water distribution could have led to potential contamination, infrastructure damage, or even a complete shutdown of the municipal water system. The Water Information Sharing and Analysis Center (WaterISAC) issued a cautionary alert at the time of the attack, indicating that this incident might not have been an isolated occurrence.

Chinese Affiliated Cyber Actors ‘Volt Typhoon’ Compromised Critical Infrastructure

The state-sponsored cyber group from the People’s Republic of China, identified as Volt Typhoon, has successfully breached the information technology systems of numerous critical infrastructure entities, including those responsible for providing clean drinking water across the United States. Volt Typhoon's unconventional selection of targets and behavior patterns diverge from typical cyber espionage tactics. Governmental departments and agencies have a strong belief that Volt Typhoon operatives are strategically positioning themselves to potentially disrupt vital infrastructure operations amidst escalating geopolitical tensions or military conflicts.

How Prevent the Exploitation of Unitronics PLCs

The US Cyber Defence Agency, CISA, released information on how to help prevent against the exploitation of Unitronics programmable logic controllers (PLCs) used in the Water and Wastewater Systems (WWS) Sector.

• Update the default passwords on PLCs and HMIs with a robust and secure password. Make sure to avoid using the default password “1111” for Unitronics PLCs.
• Ensure that all remote access to the OT network, including from the IT network and external networks, mandates the use of multifactor authentication.
• Disconnect the PLC from the open internet. If remote access is necessary, control network access to the PLC.  
• Ensure to regularly backup the logic and settings on your Unitronics PLCs for quick recovery. Familiarize yourself with the procedure for factory resetting and deploying configurations to a device in case of a ransomware attack.
• If feasible, opt for a TCP port other than the standard TCP 20256. Malicious cyber actors are actively honing in on TCP 20256 after pinpointing it through network reconnaissance as a port linked to Unitronics PLC. Upon detection, they employ specialized scripts for PCOM/TCP to scrutinize and authenticate the system, paving the way for further exploration and connectivity. If accessible, deploy PCOM/TCP filters to sift through the packets effectively.