Aliquippa Water Authority Attack Analysis

(Special thanks to our esteemed colleague, Joe Weiss, for his continued input and shared material on this subject. Visit his blog here.

“A small western Pennsylvania water authority was just one of multiple organizations breached in the United States by Iran-affiliated hackers who targeted a specific industrial control device because it is Israeli-made, U.S. and Israeli authorities say.”

The Associated Press – DEC 4, 2023

On November 25, 2023, the Municipal Water Authority of Aliquippa, PA had one of their booster stations hacked by an Iranian-backed cyber group – CyberAv3ngers. The booster station monitors and regulates pressure for customers within the City of Aliquippa and portions of two neighboring Townships. An alarm went off as soon as the hack had occurred, as the hackers apparently wanted to be found. The automation system has since been disabled. If the alarm had not been initiated, significant damage could have occurred. The Aliquippa case may not be a “one-off,” nor is it specific to the water sector, as the hack was against a control system vendor supplying programmable logic controllers (PLCs) to many infrastructures besides water. A Shodan search reveals that there are more than 200 of the Unitronics PLCs in use in the U.S. and more than 1,700 internationally. This makes “real-time” information sharing across all sectors critical. One wonders who else has been hacked?

Iran is in an undeclared war, including cyber war, against the U.S. and our critical infrastructures. On December 1, 2023, CISA, FBI, EPA, NSA and the Israel National Cyber Directorate (INCD) issued the following alert: “IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities.” 

“The hackers left a digital calling card on the compromised device saying all Israeli-made equipment is “a legal target.” 

The Associated Press – DEC 4, 2023

The Unitronics incidents are cyberattacks on control systems, in this case PLCs, not IP networks or equipment. PLCs are used for operation, not to hold customer information. Because the Islamic Revolutionary Guard Corps (IRGC) got to the PLC, they can compromise the near- or long-term operation of any targeted system. 

However, this supply chain attack is not the usual software compromise that can be addressed by a Software Bill of Materials. It highlights design weaknesses in control systems that are not unique to Unitronics. Recall, Stuxnet compromised Siemens PLCs to cause damage to the centrifuges and Triconix controllers were compromised by the Russians in an attempt to blow up a Saudi Arabian petrochemical plant.  

Unitronics is a control system/automation supplier. From the Unitronics website, the company was founded in 1989 with installations in automated parking systems, packaging and palletizing, energy production, agriculture, HVAC, food, dairy, chemical, water/wastewater (such as Aliquippa), boiler industries, plastic extrusion, and other industrial sectors. Unitronics provides an all-in-one controller; an integrated HMI and PLC with on-board I/Os equipped with software that enables PLC ladder logic control, HMI application, and all hardware and COM configuration programmed in a single environment. Unitronics PLCs, like many other PLC vendors, have cloud access capabilities. 

 A core tenet of any cybersecurity program is to make sure that passwords are never disclosed. Unfortunately, in CISA’s November 28 alert on the Aliquippa compromise, the agency publicly identified the default password and the port number for the default password for the Unitronics system, even though neither the password or port number are on Unitronics’ public-facing website. There is no reason to identify the default password nor the specific port number, as any Unitronics user would know these. 

The Aliquippa PA water authority cyberattack revealed critical issues in cybersecurity management. 

  • Firstly, there are design weaknesses in PLC control systems, as evidenced in this incident and in previous attacks, so these vulnerabilities are not new. 
  • Secondly, despite being a foundational NO-NO in cybersecurity, the disclosure of passwords occurred. In fact, CISA’s alert on the attack worryingly disclosed the default password and port number for the Unitronics system – information that should remain confidential as part of proactive cybersecurity measures.

Both of these elements indicate a need for improved security protocols and management. 

For more details on the repercussions of this recent attack, read this article from The Associated Press. 

Contact Us for more information on how to deploy CyberCloak capabilities for OT ICS protection against attacks like this one. 

Share the Post:

Related Posts