Urgent threat to IoT and digital PLC's controlling US infrastructures

Over the past seven years, multiple bad actors have been coordinating penetration attacks against US infrastructures. These attacks have included broad exploitation of devices and networks from pipelines to IoT controls affecting energy transport, water treatment and industrial operations.

Where industry groups and government agencies agree on all the potential detrimental outcomes, the current leadership in both US Congress and Administration, have not established a competent program to interdict the baseline threat. That being the extensive integration of non-trusted devices and technologies used in data acquisition and control of nearly everything in the US.

Now most recently, the Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent advisory concerning the exploitation of certain programmable logic controllers (PLCs) used in the US water infrastructure. Specifically, exploitation of Unitronics programmable logic controllers (PLCs) creating substantial issues for commercial operations, industry and government.

Canary in the cool mine

However, the history of penetration testing at water treatment plants, prior to this current threat, did little to provide the relevant preparation for what appears to be a coordinated multinational threat targeting primary US infrastructures. Those infrastructures necessary for sustaining life and commerce.

The American Society for Civil Engineering Environmental and Water Resource Institute (EWRI) has regularly published articles concerning exploits targeting water treatment facilities. In 2022 EWRI’s renewable energy committee published a key monograph on use of renewable powered technologies in securing the American water infrastructure. The monograph titled, Renewable Energy Technologies and the Water Infrastructure offers examples of solutions for advancing physical cyber and network security at plants, in pipelines and operational centers.

Critical products from the Internet of Things (IoT) to PLC’s, manage various aspects of water treatment and distribution, and cyber threat actors have targeted these IoT devices and PLCs, posing a significant risk to the integrity of water facilities. At least one specific incident involving a Unitronics PLC implemented an immediate shutdown eliminating risk to the water supply. These continuing attacks demonstrate, once again, vulnerability of many operational sectors utilizing IoT and PLC devices. Not just water systems.

This should be the rallying point for government and industry to structure comprehensive cybersecurity measures.?It may unfortunately be just another event that will be recorded and left to industry and local authorities to respond discretely within their operational domain. ?

References

1). December 1, 2023 the “CISA, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD) released a joint Cybersecurity Advisory (CSA)?IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors in response to the active exploitation of Unitronics programmable logic controllers (PLCs) in multiple sectors, including U.S. Water and Wastewater Systems (WWS) facilities, by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated advanced persistent threat (APT) cyber actors.?”

https://www.cisa.gov/news-events/alerts/2023/12/01/cisa-and-partners-release-joint-advisory-irgc-affiliated-cyber-actors-exploiting-plcs

2). Menges, P. A. Wind Energy – Increasing Resilience in Water Infrastructure (chapter), ?Renewable Energy technologies and the Water Infrastructure. Chitikela, R., Gullapalli, V., Ritter, W. F. Editors. Environmental and Water Resources Institute, American Society of Civil Engineers, 2022, pp. 163-181.