CISA Warns of Unitronics PLC Exploitation

December 19, 2023

You may have seen the news last week that multiple municipal water authorities declared themselves under cyber attack. How did they get in? The answer is quite simple: by using the default credentials on Unitronics PLCs. The specific controllers that were compromised were equipped with HMIs and did not have their default passwords changed. While the attack has a multitude of geopolitical ramifications, ultimately it highlights the need to revisit security measures around interconnected devices, especially those that have not had proper security controls implemented or changed from their default settings.

The Cybersecurity & Infrastructure Security Agency issued a warning specifically around the Unitronics PLCs that were compromised, but their guidance applies broadly across all IoT devices and PLCs:

Change all default passwords on PLCs and HMIs and use a strong password (one that is longer than 16 characters, using random characters or words, and is unique to only one account or device)
Require multifactor authentication for all remote access to the OT network, including from the IT network and external networks
Disconnect PLCs from the open internet. If remote access is necessary, control network access to the PLC via network segmentation and private VPN
Implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication.
Use an allowlist of IPs for access, denying access to IPs that are not on the allowlist
Back up the logic and configurations on any PLCs and IoT devices to enable fast recovery
If possible, utilize a TCP port that is different than the default TCP port
Update PLC/HMI to the latest version provided by the manufacturer

To view other PMMI CyberHealth content, visit pmmi.org/cyberhealth Got a more specific question? Email [email protected].