ACSC issues alert over threat to Unitronics PLCs

The Australian Cyber Security Centre (ACSC) has released an urgent alert in relation to Unitronics PLCs. The alert is relevant to Australians who use Unitronics PLCs in their environments where appropriate cybersecurity practices may not have been applied and the devices are exposed to the internet.

The ACSC says there are confirmed reports of exploitation globally against Internet-exposed PLCs in critical sectors, notably water and waste management. Threat actors appear to have been targeting Unitronics Vision Series PLCs since 22 November. They have likely used default passwords to gain access to potentially critical systems and perform defacement, although the access they have obtained enables them to reconfigure the device.

This example continues to highlight the risk of Internet-exposed industrial control systems (ICS) and the access to potentially sensitive and critical systems they can provide.

Additional Information can be found in advisories published by ACSC partners in North America:

• IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities | CISA
• NCSC statement following exploitation of Unitronics programmable logic controllers
• Exploitation of Unitronics programmable logic controllers – Canadian Centre for Cyber Security

Mitigation

The following mitigations have been suggested by the ACSC, and apply to all internet-facing PLCs, not just Unitronics.

Immediate steps to prevent attack

Change all default passwords on PLCs and HMIs and use a strong password. Ensure the Unitronics PLC default password is not in use. Disconnect the PLC from the public-facing internet or filter access to known internet endpoints that require access.

Follow-on steps to strengthen your security posture

Implement multifactor authentication for access to the operational technology (OT) network whenever applicable.

If you require remote access, implement a firewall and/or virtual private network (VPN) in front of the PLC to control network access. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication.

Create strong backups of the logic and configurations of PLCs to enable fast recovery. Familiarise yourself with factory resets and backup deployment as preparation in the event of ransomware activity.

Keep your Unitronics and other PLC devices updated with the latest versions by the manufacturer. Confirm third-party vendors are applying the above-recommended countermeasures to mitigate exposure of these devices and all installed equipment.

Assistance

Organisations or individuals that have been impacted or require assistance can contact the ACSC via 1300 CYBER1 (1300 292 371).

Image credit: iStock.com/bymuratdeniz