Hackers breach US water facility via exposed Unitronics PLCs

US Water Treament Plant

CISA (Cybersecurity & Infrastructure Security Agency) is warning that threat actors breached a U.S. water facility by hacking into Unitronics programmable logic controllers (PLCs) exposed online.

PLCs are crucial control and management devices in industrial settings, and hackers compromising them could have severe repercussions, such as water supply contamination through manipulating the device to alter chemical dosing.

Other risks include service disruption leading to a halt in water supply and physical damage to the infrastructure by overloading pumps or opening and closing valves.

CISA confirmed that hackers have already breached a U.S. water facility by hacking these devices. However, the attack did not compromise potable water safety for the served communities.

“Cyber threat actors are targeting PLCs associated with WWS facilities, including an identified Unitronics PLC, at a U.S. water facility,” reads CISA’s alert.

“In response, the affected municipality’s water authority immediately took the system offline and switched to manual operations—there is no known risk to the municipality’s drinking water or water supply.”

The agency underlines that the threat actors take advantage of poor security practices to attack Unitronics Vision Series PLC with a human-machine interface (HMI) rather than exploit a zero-day vulnerability on the product.

The recommended measures for system administrators are:

  • Replace the default Unitronics PLC password, ensuring “1111” is not used.
  • Implement MFA (multi-factor authentication) for all remote access to the Operational Technology (OT) network, including access from IT and external networks.
  • Disconnect the PLC from the open internet. If remote access is necessary, use a Firewall/VPN setup to control access.
  • Regularly back up logic and configurations for quick recovery in case of ransomware attacks.
  • Avoid using the default TCP port 20256, which is commonly targeted by cyber actors. If possible, use a different TCP port and employ PCOM/TCP filters for additional security.
  • Update the PLC/HMI firmware to the latest version provided by Unitronics.

While CISA’s advisory did not specify the threat actor behind the attacks, Cyberscoop reported that a recent hack on the Municipal Water Authority of Aliquippa, Pa., was conducted by Iranianian attackers.

As part of this attack, the threat actors hijacked Unitronics PLCs to display a message from the threat actors.

CISA also announced in September 2023 a free security scans program for critical infrastructure facilities like water utilities to help them identify security gaps and protect their systems from opportunistic attacks.


Original Source



A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

 To keep up to date follow us on the below channels.