csia
csia
csia
csia
csia

CISA’s response to Iran hacking control systems in US critical infrastructures is inadequate

Dec. 4, 2023
The U.S. is in an undeclared cyber war with Iran, including Iran cyberattacking U.S. control systems and IT networks

Iran is in an undeclared war, including cyber war, against the U.S. and our critical infrastructures. Dec. 1, 2023, CISA, FBI, EPA, NSA and the Israel National Cyber Directorate (INCD) issued the following alert: “IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities.”

The Iranian Government Islamic Revolutionary Guard Corps (IRGC) is a nation-state with associated capabilities, not just some hackers who support a cause. The picture of the hack of Full Pint Brewery should remove all doubt that Iran is directly behind state-sponsored hacking of U.S. critical infrastructures. The Unitronics incidents are cyberattacks on control systems, in this case PLCs, not IP networks or equipment. PLCs are used for operation, not to hold customer information. Because IRGC got to the PLC, they can compromise the near- or long-term operation of any targeted system.
Iran has PLCs (think about Stuxnet as that was an attack against Siemens PLCs) in their nuclear, manufacturing and oil/gas industries and is familiar with the operation of PLCs. The Nov. 25 IRGC cyberattack of the Municipal Water Authority of Aliquippa brings several interesting wrinkles to cyber war. The IRGC targeted the control system equipment, in this case Israeli-made Unitronics PLCs, not the end-users such as Aliquippa or Full Pint. Consequently, this is a nation-state supply chain attack against U.S. critical infrastructure, not any single end-user or sector.

However, this supply chain attack is not the usual software compromise that can be addressed by a Software Bill of Materials, but design weaknesses in control systems that are not unique to Unitronics. Recall, Stuxnet compromised Siemens PLCs to cause damage to the centrifuges and Triconix controllers were compromised by the Russians in an attempt to blow up a Saudi Arabian petrochemical plant. It is evident the Dec. 1 alert does not address PLC-unique issues identified from the Unitronics incidents or other previous PLC attacks. 

Unitronics

Unitronics is a control system/automation supplier. From the Unitronics website, the company was founded in 1989 with installations in automated parking systems, packaging and palletizing, energy production, agriculture, HVAC, food, dairy, chemical, water/wastewater (such as Aliquippa), boiler industries, plastic extrusion, and other industrial sectors. Unitronics provides an all-in-one controller, an integrated HMI and PLC with on-board I/Os with software that enables PLC ladder logic control, HMI application and all hardware and COM configuration programmed in a single environment. Unitronics, like many other PLC vendors, have cloud access capabilities.

Unitronics installations

After the initial Nov. 26, 2023, report of the Aliquippa event, a scan of Shodan (website identifying Internet connected devices) for Unitronics devices produced 1800+ devices globally with 226 in the U.S. Following the widespread coverage two days following the event, there was a slight decrease in these numbers. Over the next several days, as the visibility of the event increased, the identified exposed Unitronics instances on Shodan decreased to 208 in the U.S. Some of these exposed systems with public IP addresses have since been closed off from access, while some of the pages allowing download of data still have exposed access.

This is good news and should take place across all industries and control system suppliers. Businesses should ensure “security by design” of their third-party automation partners to ensure that control systems are isolated and that convenient public status report pages are not part of the design. As mentioned, these numbers only reflect those Unitronics systems connected to the Internet. As of Dec. 3, 2023, at least three U.S. cities have publicly stated their systems are not connected. This implies they have Unitronics systems but wouldn’t be included in the Shodan list. 

CISA Alert “mistake”

A core tenet of any cybersecurity program is not disclosing passwords. However, in CISA’s Nov. 28 alert on the Aliquippa compromise, CISA publicly identified the default password and the port number for the default password for Unitronics system even though neither the password or port number are on Unitronics’ public-facing website. There is no reason to identify the default password or the specific port number as any Unitronics user would know these.

I find it hard to believe this was an oversight or mistake, so I had several colleagues assist me in determining if it was common practice for CISA to identify actual default passwords in their advisories. One colleague searched more than 450 CISA advisories dating back to 2022, using “password,” “port” and “TCP” as search terms. He was not able to find any other password listed in those advisories except for the one on Unitronics. When asked why CISA released the default password, a senior level CISA employee stated there was a video on YouTube by the manufacturer which disclosed the password and ports. The CISA individual indicated that CISA did not consider it to matter because the information was already known.

Since when is disclosing any password acceptable? CISA has not disclosed default passwords for any other vendor even though their default passwords are also “publicly” known. The default password recommendations in the Dec. 1 advisory should apply to all control system suppliers. The beneficiaries of this egregious CISA disclosure would be those who do not own Unitronics systems: competitors, the general public, Iran, Russia, China, North Korea and other threat actors who want to attack Israeli products. One wonders why CISA chose to “out” this specific vendor.

Nov. 28 and Dec. 1 CISA alert shortcomings

PLCs are engineering devices designed, operated and maintained by engineers. They are not IT devices. The IRGC hackers got to the PLCs, but there is no mention of having engineers or technicians check out the PLC logic, PLC communications, PLC performance, HMI conditions, etc. to ensure they have not been comporomised. These are issues that are critical whether the PLC is connected to the Internet or not. Yet the CISA guidance only addresses IT network considerations and ignores engineering considerations. The CISA guidance also ignores the Unitronics PLC HMI that is integral to the PLC. Specifically, the CISA recommendations are essentially Cyber Hygiene 101 applicable to any device from any vendor, for any network cyber incident. 

According to the Dec. 1 CISA advisory, immediate actions include:

1.    Implement multifactor authentication;
2.    Use strong, unique passwords; and
3.    Check PLCs for default passwords.

However, without a potential redesign, it is unclear whether many control systems (not just Unitronics) have the capability for multifactor authentication, “strong” passwords beyond just a few numbers, or have default passwords that can be changed. Recall, the Siemens PLCs involved with Stuxnet used hardcoded default passwords that could not be changed.

OT industry gap in understanding

An indication of the lack of appreciation and understanding of “OT experts” about the Unitronics supply chain attack is Dale Peterson’s post in his Dec. 1, 2023 ICS: Security Friday News and Notes: “I guess I have to include this: the Municipal Water Authority of Aliquippa serving 6,615 customers had an attack on their OT. Small water utilities have weak OT and ICS security and need to be able to fall back to manual ... which they did. Much more consequential is the ransomware that took out emergency room services at multiple hospitals for multiple days in Texas.” Maybe Dale and other OT experts might want to reconsider their priorities. 

Concluding questions

Iran and others of their ilk have threatened Israeli companies and also companies that provide products or support to Israel. This includes U.S.-, European- and Asian-based control system suppliers. What makes people think these vendors aren’t next on Iran’s nefarious agenda?

The Unitronics hack is an Iranian supply chain attack against U.S. critical infrastructure. Why isn’t it being addressed as such? 

The Unitronics PLC hack can apply to other vendors’ PLCs. Why is this not being addressed as a general issue with PLCs?

The Unitronics PLC hack can affect the operation of the PLCs. Why is there no guidance to address this concern?

When is CISA going to provide validated relevant guidance specifically for control system field devices and their non-IP networks? 

Why did CISA potentially compromise Unitronics devices by listing their default password in an open publication when CISA hasn’t done the same for any other vendor? 

Why is CISA supplying the specific vendor port number in an open publication?

Conclusions and recommendations

Control system field devices such as PLCs are used throughout multiple sectors. When will CISA recognize that many control system cyber issues are common across various sectors? The U.S. is in an undeclared cyber war with Iran. That includes Iran cyberattacking U.S. control systems as well as IT networks. To date, none of the CISA OT guidance including the two Unitronics Advisories, have addressed control system field device issues or device limitations. As a result, CISA guidance may not be able to be applied to many control system field devices. This gap is due to the lack of engineering expertise needed to provide expert guidance when control systems are involved. This intolerable gap needs to be changed immediately.