Internet-Exposed Water PLCs Are Easy Targets for IranResearchers Find Unprotected Unitronics Devices
Here's one reason why Iranian state hackers may have been able to target Israeli-made pressure-monitoring controllers used by American water systems: Nearly 150 of the controllers are exposed to the internet - and some still use the default password 1111.
Delivering clean drinking water in the United States is a task delegated to local governments that often operate on shoestring budgets and therefore can have poor cybersecurity practices. This issue came to the forefront after an Iranian hacking group known as Cyber Av3ngers targeted water pressure monitoring systems made by Unitronics, based in Tel Aviv.
Attackers in November hacked a Unitronics programmable logic controller used by the Municipal Water Authority of Aliquippa, Pennsylvania and defaced its interface with an anti-Israeli message. The attack had no effect on water service or quality - although local media reported that water pressure in two townships briefly dropped. A news site covering Beaver County, Pennsylvania, in January reported that recovering from the attack had cost the water authority $20,000 (see: US CISA: Secure Israeli-Made Technology From Iranian Hackers).
The issue of cybersecurity in America's 50,000 community water systems by then had already begun percolating amid a failed Biden administration attempt to make cybersecurity a component of mandatory water system safety assessments.
The U.S. Department of Treasury earlier this month sanctioned leaders of the Iranian government cyber unit responsible for the water system attacks (see: US Sanctions Iranian Cyber Heads for Attacks on Israeli Tech).
Researchers from Censys on Thursday said that internet scans had revealed the presence of 149 exposed Unitronics devices and services within the United States, including three virtual network computing interfaces that didn't require any authentication.
That number includes approximately 27 devices that appear to be researcher honeypots rather than genuine security risks. The devices exposed a proprietary Unitronics protocol called PCOM that allows applications to interact with PLCs. "It is a bit surprising that so many of the total number of PCOM services we see appear to be honeypots," the Censys researchers said.
The U.S. Cybersecurity and Infrastructure Security Agency recommended after the Aliquippa attack that water system administrators disconnect PLCs from the internet. Censys said that "in some cases" it may be reasonable to have water controllers connected to the internet, but they should always be protected by a VPN or behind a firewall that restricts access. A gateway device can facilitate multifactor authentication, even if the PLC itself doesn't support it.
These exposed Unitronics devices comprised 39 PCOM services, 94 API endpoints, 96 web admin panels, and 95 devices with exposed VNCs.
One major security concern Censys flagged is the default web control panels on PLCs. They come preprogrammed with a default password 1111. The top recommendation in CISA's November advisory was to change that password.
"Many critical infrastructure devices are simply 'on' the internet, and without the right measures in place, can become easy points of entry to nation-state groups and other adversaries looking to do harm," the researchers said.
Problematic OT exposures go beyond water and Unitronics services and devices. Censys also observed that exposures were present across a number of other internet-facing OT services related to critical infrastructure sectors, such as energy.
Federal officials on Wednesday warned that foreign hackers - in this case, Chinese - have been readying destructive attacks on U.S. critical infrastructure networks.