What is a PLC and why is it a target?

A Programmable Logic Controller (PLC) is a ruggedized industrial computer used to automate processes in factories, power plants, and water treatment facilities. They are targets because compromising them can allow an attacker to disrupt physical operations, damage equipment, or endanger public safety.

Was my local water supply affected by these attacks?

The most publicly confirmed attack in the U.S. was against the Municipal Water Authority of Aliquippa in Pennsylvania. Officials there stated that the water supply remained safe and the disruption was quickly contained. CISA has warned that multiple other facilities were vulnerable, but specific locations have not been disclosed.

Why were these critical devices connected to the internet?

Devices like PLCs are sometimes connected to the internet for legitimate reasons, such as remote monitoring or maintenance by vendors or operators. However, this must be done securely. The problem in these attacks was that the devices were connected directly without proper security controls like firewalls, VPNs, or strong passwords, making them easy targets.

Who are the 'CyberAv3ngers'?

'CyberAv3ngers' is the name used by a hacker group that U.S. intelligence agencies have linked to Iran's Islamic Revolutionary Guard Corps (IRGC). Their activities are considered politically motivated, primarily targeting Israeli interests and those of its allies, like the United States.

How can I find out if my organization is vulnerable?

Organizations using Unitronics Vision series PLCs should immediately follow CISA's guidance. This includes checking for internet exposure, changing default passwords, and ensuring the devices are behind a firewall. A comprehensive security audit of all operational technology (OT) is recommended for any critical infrastructure operator.

Iran-linked hackers disrupt U.S. water facilities by targeting exposed industrial controls

Aliquippa, Pennsylvania – A pump station serving a small American town became an unlikely front in international cyber conflict late last year. On November 25, 2023, operators at the Aliquippa Municipal Water Authority discovered a chilling message displayed on one of their control screens: a defacement from a pro-Iranian hacktivist group. The attack, which briefly disrupted operations, was a stark signal of a broader campaign targeting vulnerable U.S. critical infrastructure.

In a series of joint advisories, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the NSA warned that cyber actors affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) were actively exploiting internet-exposed operational technology (OT). Their target: Unitronics Vision series Programmable Logic Controllers (PLCs), the small industrial computers that automate processes in water treatment plants, manufacturing facilities, and energy substations across the country.

Background: Geopolitics and 'CyberAv3ngers'

The attacks are attributed to a group calling itself “CyberAv3ngers,” which emerged in the wake of the October 2023 Israel-Hamas conflict. The group’s messaging is overtly political and anti-Israel, and U.S. intelligence agencies have linked its activities to the Iranian government. Prior to the Aliquippa incident, CyberAv3ngers had claimed responsibility for similar attacks against Israeli infrastructure, establishing a clear pattern of targeting devices from the Israeli manufacturer Unitronics.

This campaign represents a tactical, albeit unsophisticated, escalation. While nation-states have long engaged in cyber espionage, these incidents demonstrate a willingness to move from intelligence gathering to direct, disruptive attacks on civilian infrastructure. The choice to target the water and wastewater systems (WWS) sector is particularly concerning due to the potential for direct impacts on public health and safety.

Technical Details: The Danger of Default Settings

The attackers did not need to deploy a complex zero-day exploit or sophisticated malware. Instead, they exploited fundamental and widespread security failings. The primary attack vector was the direct exposure of Unitronics PLCs to the public internet, a practice strongly discouraged by security professionals.

Threat actors used publicly accessible search engines like Shodan, which continuously scan the internet for connected devices, to easily identify vulnerable Unitronics systems. According to CISA’s advisory (AA23-325A), the attackers then gained access by using the manufacturer’s default password, “1111,” which many operators had never changed. This is the digital equivalent of leaving the front door unlocked with the keys still in it.

Once they gained access, the attackers performed several actions:

Defacement: They altered the Human-Machine Interface (HMI)—the graphical screen operators use to monitor and control processes—to display an anti-Israel message.
Operational Disruption: In the Aliquippa case, the attackers reportedly manipulated controls that shut down a booster station pump responsible for monitoring and regulating water pressure for two nearby townships.

The core vulnerability was not a flaw in the device itself, but a critical misconfiguration. These PLCs are designed for isolated industrial networks, segregated from corporate IT networks and especially from the public internet. Connecting them directly online without firewalls, access controls, or changing default credentials creates an easily exploitable target.

Impact Assessment: A Warning Shot Across the Bow

The direct physical impact of the Aliquippa attack was minimal. The water authority quickly detected the intrusion, switched to manual operations, and restored normal function without any loss of safe drinking water to customers. However, the incident’s significance far outweighs its immediate consequences.

Who is affected?

Water and Wastewater Facilities: CISA confirmed that multiple organizations in this sector were targeted. Smaller municipalities with limited cybersecurity budgets and personnel are particularly at risk.
Other Critical Sectors: The advisory noted that entities in the food and beverage, energy, and critical manufacturing sectors also use these PLCs and were at risk of similar attacks.
The Public: While this attack was contained, a more successful or widespread campaign could disrupt the supply of clean water, damage expensive equipment, or even manipulate chemical dosing to create a public health crisis, as was attempted in the 2021 Oldsmar, Florida incident.

Cybersecurity experts have described the CyberAv3ngers campaign as targeting “low-hanging fruit.” The attacks serve as a loud and clear warning about the fragility of industrial control systems (ICS). They demonstrate that even low-sophistication actors can cause tangible disruption by capitalizing on basic security oversights. For Iran, these attacks provide a low-cost, plausibly deniable method of projecting power and retaliating against adversaries without triggering a conventional military response.

How to Protect Yourself: Securing Operational Technology

The guidance from CISA and the FBI focuses on foundational cybersecurity practices that are essential for any organization operating industrial control systems. Asset owners and operators should take immediate action to mitigate these and similar threats.

Disconnect from the Internet: The most critical step is to remove all PLCs and other OT devices from direct internet exposure. These systems should not be discoverable via public IP addresses. If remote access is necessary, it must be secured.
Implement Network Segmentation: Isolate your OT network from your corporate IT network using firewalls. This prevents an intrusion on the IT side (e.g., a phishing attack) from spreading to the critical control systems.
Secure Remote Access: For any required remote access, use a secure VPN service with strong multi-factor authentication (MFA). This ensures that only authorized users can access the OT network and that their identity is verified.
Change Default Passwords: Immediately change all default credentials on PLCs, routers, and other hardware. Enforce a policy of creating strong, unique passwords for every device and account.
Maintain an Asset Inventory: You cannot protect what you do not know you have. Keep a detailed inventory of all OT devices connected to your network so you can identify and secure them properly.
Update Firmware: Regularly check for and apply firmware updates from vendors. While this specific attack didn't use a software flaw, patching is a vital part of overall security hygiene to protect against future exploits.
Monitor Network Traffic: Implement a program to monitor OT network traffic for unusual activity, such as unexpected connections from external IP addresses or attempts to log into control devices.

The attacks on Unitronics PLCs were not a sophisticated assault on hardened targets. They were an opportunistic campaign that succeeded by exploiting the most basic security failures. For critical infrastructure operators, this is a final wake-up call to prioritize the security of the operational technology that underpins our modern lives.