In today’s world, the focus of cyberattacks is ransomware, not control system hacks meant to cause damage. However, on Nov. 25, 2023, the Municipal Water Authority of Aliquippa, Pennsylvania had one of their booster stations’ Unitronics programmable logic controllers (PLCs) hacked by an Iranian-backed cyber group - CyberAv3ngers. The booster station monitors and regulates pressure for 6,615 customers in Aliquippa and portions of Hopewell Township, Potter Township and Raccoon Township. CyberAv3ngers claims to be an active group focused on targeting Israeli water and energy sites, including 10 water treatment stations in Israel as of Oct. 30, 2023, according to their X page.
A booster station is designed for automatic operation, not to hold personal information. An alarm went off as soon as the hack had occurred, as the hackers apparently wanted to be found. The automation system has since been disabled.
The Aliquippa case may not be a one-off attack against a small water utility, as the hack was against a control system vendor supplying a cost-effective system that is used in control systems at many critical infrastructures systems, not just water utilities like Aliquippa. A search of the Unitronics website shows it supplies control systems to many types of organizations, not just water utilities. This makes real-time information sharing all the more critical. From a Nov. 27, 2023, Shodan search on Unitronics systems, there are more than 220 Unitronics systems in the U.S. and more than 1800 worldwide. One wonders who else has been hacked, or when they will be attacked? Imagine what damage could accrue if the attack targeted other control system suppliers.
Members of the Pennsylvania state police were called to the booster station to begin a criminal investigation. The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have joined the investigation. Unfortunately, the initial government response to this 2023 cyberattack appears to mirror what happened with the 2011 Springfield, Illinois Curran-Gardner water hack. In that case, the incident was identified by the state fusion center as a cyberattack coming from Russia. Moreover, the utility general manager stated they were hacked. The state fusion center report leaves no doubt the SCADA system was compromised. However, the scenario changed after the government arrived and it was no longer considered to be a hack. As the Aliquippa case was an intentional probing attack by Iran to see what will happen if anything – hopefully, that mistake will not be repeated here.
It should be noted that the 2021 Oldsmar, Florida water “hack” (it was not a hack or a deliberate attack, but a user error) occurred during weekday business hours, and the response was almost instantaneous. The CISA response about it being a cyberattack was wrong and went uncorrected for more than two years. In the Aliquippa case, the hack occurred on a Saturday of a four-day holiday weekend, and the response was not so instantaneous.
All three of these cases involved small local water systems, which suggest a need for minimum control system cybersecurity best practices in the water sector. The American Water Works Association has been seeking congressional support to establish a shared regulatory process modeled on the bulk power sector since 2021. The intent is to create a tiered risk and performance-based approach that sets mandatory cybersecurity requirements for drinking water and wastewater systems with oversight from the Environmental Protection Agency (EPA). This type of approach is all the more timely and prudent given the EPA’s withdrawal of cyber regulations following a legal challenge by several states. It would be prudent for Congress to move forward this type of public-private collaboration to advance cybersecurity in the water sector but address the limitations in the bulk power sector model.
The LinkedIn note from Nov. 26, 2023, on this subject went viral with more than 11,000 views and more than 35 reposts in less than 36 hours. There were several common threads demonstrating the lack of focus on control system cyber incidents. The first was a repost started with the following comment: “In a striking deviation from the typical ransomware-focused cyberattacks.” Hacking control systems shouldn’t be viewed as a “striking deviation.” Seeing it as such demonstrates that cyber defenders are not looking beyond Internet protocol network attacks.
A second comment on the original post read, “Scary. Yes. No. I would not be surprised if our adversaries already have a bunch of our systems compromised and are just waiting for time to attack.” Russia and China have already done this. The Russians installed BlackEnergy2 in U.S. electric grids in 2014. Since at least 2019, China has installed hardware backdoors in large electric equipment across the country. It is evident that cyber defenders are not adequately trained nor sensitized to what control system cyber attackers are addressing, as another comment stated, “Another wakeup call…hope this helps lower the numbers of those hitting the snooze button in many domains.”
This cyberattack is also an international issue as noted by the number of Unitronics installations internationally as well as the impact of attacking water systems and other critical infrastructure. See the following observation.
The is from my colleague in Lithuania, Vytautas Butrimas:
“The Pittsburgh TV affiliate's report showed an interesting video in the background with images of some of the equipment (e.g., Unitronics V570, a PLC used by the water facility). Probably not a good idea to show that much on the web. Remember those published photos of an Iranian enrichment plant's control room? (my comment - this information factored into the Stuxnet attack).The media people need to be made aware about how much actionable info they are providing to the public.”
There’s a myriad of opportunities for lessons to be learned – will they be taken advantage of before real harm takes place?