The Unitronics programmable logic controller (PLC) hack is an Iranian nation-state (IRGC) supply chain attack against multiple U.S. critical infrastructures on U.S. soil. The IRGC attack is targeting the Israeli-made Unitronics PLCs through its customers. The customers are being directly attacked, but with a view to damaging Unitronics in particular and Israel in general. The IRGC attack could be wider spread as Unitronics PLCs may be rebranded and appear as different manufacturers and companies.
PLC issues
PLCs are engineering devices designed, operated and maintained by engineers. PLCs are “general purpose” controllers used in all sectors to control physical processes. The same PLCs used in water and wastewater management are used in all forms of manufacturing (they were originally invented for auto manufacturing), and in pipelines, chemical plants, refineries, power, the food and beverage sector, transportation, etc. What makes PLCs cyber vulnerable in any one sector makes them cyber vulnerable in all sectors. The generic nature of Unitronics PLCs continues to be downplayed in the CISA alerts and the press as the focus continues to be on water and wastewater because of the Aliquippa Water attack even though other sectors also have been compromised. The continued focus on water and wastewater in the title of the alerts creates a false sense of security for sectors outside of water and wastewater.
Historically, the IRGC has shown a tendency to prioritize “gesture over damage”. Defacing the PLCs has led many to consider this attack as simply a “gesture”. Now consider China’s history on hacking critical infrastructure. According to Brandon Wales, executive director of CISA, “It is very clear that Chinese attempts to compromise critical infrastructure are in part to pre-position themselves to be able to disrupt or destroy that critical infrastructure in the event of a conflict, to either prevent the United States from being able to project power into Asia or to cause societal chaos inside the United States — to affect our decision-making around a crisis. That is a significant change from Chinese cyber activity from seven to 10 years ago that was focused primarily on political and economic espionage.”
Why would Iran choose to “waste” a cyberattack tool that only defaces PLC displays? The defacement could be an attempt to “hide” the more sinister part of the attack such as implanting new code or compromise existing code to take over the PLC when desired similar to what China has done. The forensic analysis will require PLC experts to identify if the PLC integrity has been compromised. However, that has not been addressed in the CISA alerts nor in articles written about the Unitronics attacks.
Default password issues
Control system equipment, including PLCs, are provided with default passwords, similar to what IT vendors provide. Control system default password issues are not new. In my book, Protecting Industrial Control Systems from Electronic Threats, published in May 2010, I stated: “The ICS systems provided internationally are the same systems provided in North America with the same architecture, same default vendor passwords, and same training. They are also supplied to all process industries, not just electric. The non-U.S. suppliers provide the same systems to the U.S. market as to the non-U.S. market including to “unfriendly” countries.”
In many cases, PLC passwords are limited to a small number of characters without a capability for special characters. These default control system passwords are publicly known. However, all too often, users don’t change default passwords, or in some cases even change them back after they “pass management inspection”. A large percentage of the control systems in the U.S. electric industry still use default passwords in their control system equipment. This may come as a shock to the cybersecurity community, but there are good operational reasons for not changing default passwords that need to be balanced with the cybersecurity reasons for changing them. This will require training for both operations and network security personnel.
Dec. 11, 2023, CISA posted a Known Exploited Vulnerability “CVE-2023-6448 Unitronics Vision PLC and HMI Insecure Default Password.” According to the CVE, “Unitronics Vision Series PLCs and HMIs use default administrative passwords. An unauthenticated attacker with network access to a PLC or HMI can take administrative control of the system.” Since control systems come with default passwords or no passwords, why the focus on Unitronics and why now? The Unitronics attack is not the first-time default passwords have been used to compromise systems. The CVE is even more problematic as Unitronics explicitly stated that customers should change the default password but that was not identified in the CVE disclosure.
The default password issue is not limited to CISA. In the December 12, 2023 issue of SANS Newsbites, there is an article: “Irish Water Utility Suffers Cyberattack” about an Irish utility having their Unitronics PLC compromised. Curtis Dukes, the Vice President and General Manager of the Best Practices and Automation Group at the Center for Internet Security stated: “Continued fallout from the exploitation of Unitronics PLCs. We know the root cause, product shipped with a default administrative password. A question to ponder, should the vendor, Unitronics, be held liable for shipping a product with a known security weakness.” Since when is a vendor providing a default password that should be changed by the end user a known security weakness? If default passwords are security weaknesses, every IT, OT, and control system vendor is guilty of providing products with known security weaknesses.
General issues
The Unitronics PLC hack by the IRGC could have targeted any PLC vendor as the attack exploited publicly known default passwords. Additionally, the IRGC has the capability to attack other cyber vulnerable PLCs as they have knowledge from utilizing PLCs from vendors such as Siemens and others. Many PLC vendors provide equipment that is cyber vulnerable. They may, for example, use hard coded default passwords that cannot be changed or employ separate Windows-based HMIs using commonly known cyber vulnerable communication protocols. As the President of ABB USA said at the ABB User Group Conference after Stuxnet, “there but by the grace of God go I”. That is, Stuxnet could have targeted any PLC that was installed at the Natanz centrifuge facility in Iran.
CISA alert recommendations
The CISA Unitronics alerts only address common IT issues that are applicable to any device from any vendor, for any network cyber incident. My comments are in parenthesis.
- Change all default passwords on PLCs and HMIs and use a strong password. (Why did CISA publish Unitronics’ default password when they have not published the default password from any other vendor?)
- Ensure the Unitronics PLC default password is not in use. (This may not be possible for some PLCs.)
- Disconnect the PLC from the public-facing internet. (This applies to all PLCs.)
- Implement multifactor authentication for access to the OT network whenever applicable. (This is not possible for many PLCs.)
- Implement a firewall and/or virtual private network (VPN) in front of the PLC to control network access. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication. (If the PLC is already compromised, the VPN will be providing compromised data.)
- Create strong backups of the logic and configurations of PLCs to enable fast recovery. (This is important but doesn’t help if the PLC logic has already been compromised.)
- Familiarize yourself with factory resets and backup deployment as preparation in the event of ransomware activity (This was not a ransomware attack.)
- Keep your Unitronics and other PLC devices updated with the latest versions by the manufacturer. (This applies to all PLCs.)
- Confirm third-party vendors are applying the above recommended countermeasures to mitigate exposure of these devices and all installed equipment. (This applies to all PLCs.)
Unfortunately, industry leaders such as Dragos have tended to repeat the ineffective CISA guidance. Additionally, several OT thought leaders such as Dale Peterson are downplaying the significance of the IRGC-targeted cyberattack against control systems which is a disservice to protecting critical infrastructures against the IRGC cyberattacks.
Unaddressed PLC issues
The IRGC hackers got to the Unitronics PLCs but there was no mention in either of the CISA Alerts about checking the integrity of the PLCs. DOE’s Idaho National Laboratory (INL) has extensive experience with cybersecurity of PLCs dating to at least 2008 when INL gave a presentation to the Siemens International User Group on the cyber vulnerabilities of the Siemens PLCs. In fact, these Siemens PLC vulnerabilities that were exploited by Stuxnet in the 2010 time frame are still vulnerable today. Yet, CISA either did not use INL’s expertise or ignored their guidance in the development of the alerts. It should be evident these are issues that are critical whether the PLC is connected to the Internet or not as the centrifuges at Natanz were not connected to the Internet when the PLCs were compromised by Stuxnet.
PLC specific guidance is provided in the industry “Top 20 PLC coding practices” and in the Unitronics guidance for securing their PLCs. However, neither was referenced in the CISA alerts. On the other hand, CISA made the Unitronics default password public. Apparently, the compromised Aliquippa Water Unitronics PLC has been taken for detailed forensic analysis. A similar issue occurred with hardware backdoors installed by the Chinese in large Chinese-made electric transformers. Industry has not been made aware of what was found in the Chinese transformer in the detailed forensics performed at the Sandia National Laboratory. In fact, the information was highly classified. Consequently, industry is unaware of what dangers lurk. Hopefully, this won’t be the case with the compromised Aliquippa Unitronics PLC or any other compromised Unitronics PLC undergoing detailed forensic analysis.
PLC recommendations
- Use the existing IT recommendations, where applicable
- Use the latest vendor security recommendations
- Apply the Top 20 PLC Coding Practices
- Have PLC experts conduct a detailed forensics analysis of the PLC logic and communications
- If any issues or suspicions arise, replace the PLC
Conclusions and questions
The CISA alerts were initiated because of defacement of Unitronics PLC displays. Yet, there was an absence of discussions about the PLCs even though the defacements could be a way to “hide” the more sinister part of the attack. The focus of the alerts and CVE were on the use of default passwords which are in common use by all vendors in all sectors and not unique to Unitronics. If the Unitronics security guidance had been followed which included changing default passwords, the IRGC would not have been able to compromise Unitronics PLCs. Consequently, this brings up the following questions: Why has CISA been so public about releasing Unitronics default passwords, which they have not done for any other vendor? Why did CISA issue a CVE for Unitronics default passwords when use of default passwords is common throughout critical infrastructure with the onus on the end-user to change the default password? As this was a PLC attack, why has CISA only addressed IT issues and not provided the Unitronics cybersecurity guidance or the industry Top 20 PLC Coding Practices? As the attack vector can compromise any sector, why is CISA’s focus on water and wastewater? As the attack vector can be the same for any PLC vendor, why are the alerts focused on Unitronics? Why would Iran choose to “waste” a cyberattack tool on an attack that only defaces PLC displays and doesn’t implant new code or compromise existing code to take over the PLC when desired? It certainly appears that CISA is “targeting” Unitronics from disclosing Unitronics’ default password that CISA has not done to any other vendor to issuing a CVE for Unitronics use of default passwords which is industry standard with all IT, OT, and control system vendors. It isn’t just CISA. Why are cybersecurity organizations like SANS calling the common practice of a vendor supplying a default password a security weakness? If default passwords are security weaknesses, every IT, OT, and control system vendor is guilty of providing products with known security weaknesses. As Unitronics PLCs are so widely used, both in the U.S. and internationally, these inappropriate CISA alerts, CVEs and “targeted attacks against Unitronics are putting U.S. critical infrastructures at risk. Why?