Suspected Iranian cyberattack on key US infrastructure probed by security agency

A water treatment plant.
(Image credit: Shutterstock)

A US water treatment facility has been breached by hackers exploiting the poor default security measures of Unitronic programmable logic controllers (PLCs).

PLCs were confirmed as the source of the breach by Cybersecurity & Infrastructure Security Agency (CISA), but the agency stated that the hackers had not affected the water within the facility.

The PLCs targeted by the hackers are usually responsible for control and management of critical infrastructure, and could be used maliciously within a water facility to contaminate supplies, turn off the municipal supply of water, or damage the structures within the facility.

Vulnerabilities need plugging

A similar attack, attributed to Iranian hackers, took place targeting a water facility in Philadelphia, however CISA did not confirm who was behind the most recent attack.

In a statement from CISA regarding the attack, the agency reported, "Cyber threat actors are targeting PLCs associated with WWS facilities, including an identified Unitronics PLC, at a U.S. water facility.”

"In response, the affected municipality's water authority immediately took the system offline and switched to manual operations—there is no known risk to the municipality's drinking water or water supply."

CISA also released guidance for organizations on how to keep Unitronic PLCs secure:

  • Change the Unitronics PLC default password—validate that the default password “1111” is not in use.
  • Require multifactor authentication for all remote access to the OT network, including from the IT network and external networks. 
  • Disconnect the PLC from the open internet. If remote access is necessary, implement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication. Unitronics also has a secure cellular based longhaul transport device that is secure to their cloud services. 
  • Back up the logic and configurations on any Unitronics PLCs to enable fast recovery. 
  • Become familiar with the process for factory resetting and deploying configurations to a device in the event of being hit by ransomware. 
  • If possible, utilize a TCP port that is different than the default port TCP 20256. Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC. Once identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for further probing and connection. If available, use PCOM/TCP filters to parse out the packets. 
  •  Update PLC/HMI to the latest version provided by Unitronics. 

Via BleepingComputer

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict Collins is a Staff Writer at TechRadar Pro covering privacy and security. Before settling into journalism he worked as a Livestream Production Manager, covering games in the National Ice Hockey League for 5 years and contributing heavily to the advancement of livestreaming within the league. Benedict is mainly focused on security issues such as phishing, malware, and cyber criminal activity, but he also likes to draw on his knowledge of geopolitics and international relations to understand the motives and consequences of state-sponsored cyber attacks.


He has a MA in Security, Intelligence and Diplomacy, alongside a BA in Politics with Journalism, both from the University of Buckingham. His masters dissertation, titled 'Arms sales as a foreign policy tool,' argues that the export of weapon systems has been an integral part of the diplomatic toolkit used by the US, Russia and China since 1945. Benedict has also written about NATO's role in the era of hybrid warfare, the influence of interest groups on US foreign policy, and how reputational insecurity can contribute to the misuse of intelligence.


Outside of work Ben follows many sports; most notably ice hockey and rugby. When not running or climbing, Ben can most often be found deep in the shrubbery of a pub garden.