Aliquippa, Pennsylvania suffers cyberattack on booster station PLC
The Municipal Water Authority of Aliquippa, Pennsylvania has suffered a cyberattack on Saturday, Nov. 25 that disabled a programmable logic controller (PLC) at one of the authority’s booster stations.
The Municipal Water Authority of Aliquippa provides water and wastewater services to over 6,600 customers in Pennsylvania. The affected booster station monitors and regulates pressure for the Raccoon and Potter Townships.
“They did not get access to anything in our actual water treatment plant — or other parts of our system — other than a pump that regulates pressure to elevated areas of our system,” Matthew Mottes, chairman of the authority, told BeaverCountian.com. “The booster station did what it was supposed to. It sent an alarm and we took control manually. Nobody was ever at risk.”
The authority reported that it immediately took the system offline and switched to manual operations, stressing that there was no known risk to the municipality’s drinking water. Federal authorities are now investigating the cyberattack.
On Nov. 28, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about the PLC exploitation. CISA identified the compromised device as a Unitronics Vision Series PLC that had weak cybersecurity, including exposure to the internet.
According to local news channel KDKA News, the group behind the cyberattack identified itself as “Cyber Av3ngers” a hacktivist group associated with Iran. The cyberattack left an image on the PLC’s control panel, including the words “down with Israel” and claiming that any equipment made in Israel is a target of the group. Unitronics, the company that provides the Vision Series PLC, is based in Israel.
CISA provided recommendations to secure water and wastewater facilities against the Unitronics PLC’s vulnerabilities. These tips are also helpful for many IT-compatible PLCs:
- Change the Unitronics PLC default password (“1111”).
- Require multifactor authentication for all remote access to the operational technology network.
- Disconnect the PLC from direct internet exposure, or implement a firewall or gateway in front of the PLC to control network access.
- Back up the logic and configurations of the PLCs to enable fast recovery.
- If possible, use a transmission control protocol (TCP) port that is not the default Unitronics PLC port (TCP 20256), to better obscure the PLC from cyberattacks.
- Update the PLC firmware to its latest version