Cyber risk to the UK's water network, NCSC warns

The UK's National Cyber Security Centre (NCSC) has warned of the active exploitation of Unitronics programmable logic controllers (PLCs), used extensively across the water sector.

The statement follows a similar alert from the US Cybersecurity & Infrastructure Security Agency (CISA) earlier this week, with the NCSC recommending that organizations should follow its guidance.

"The NCSC has warned for some time of the enduring threat to the UK’s critical national infrastructure," says Jonathon Ellison, NCSC director for national resilience and future technology.

"Our US counterparts, CISA, have issued an advisory outlining a threat against the water sector. We are notifying UK providers of this threat, and recommend they protect consumers by following the mitigation advice set out by CISA."

Water and waste water facilities use PLCs to control and monitor various processes, including turning on and off pumps to fill tanks and reservoirs, flow pacing chemicals to meet regulations, gathering compliance data for monthly regulation reports, and announcing critical alarms to operations.

While the NCSC says that the exploitation is of ‘limited sophistication’ and is highly unlikely to cause any disruption to water supplies, there is a potential risk to some small suppliers.

The CISA advisory follows an attack on an unidentified US water facility, in which the attackers appear to have accessed the affected device — a Unitronics Vision Series PLC with a Human Machine Interface (HMI) — by exploiting poor password security and exposure to the internet.

The facility, says CISA, immediately took the system offline and switched to manual operations, meaning that there was no known risk to the drinking water or water supply.

But to prevent other attacks, it says, users should change all default passwords on PLCs and HMIs, require multifactor authentication for all remote access, including from the IT network and external networks, and disconnect the PLC from the open internet.

They should also back up the logic and configurations on any Unitronics PLCs to enable fast recovery, where possible utilize a TCP port other than the default TCP 20256 port and update PLC/HMI to the latest version.

The alert follows a recent NCSC report that warned that the UK’s critical sectors, including the water industry, are facing an 'enduring and significant’ threat.

"The last year has seen a significant evolution in the cyber threat to the UK – not least because of Russia’s ongoing invasion of Ukraine but also from the availability and capability of emerging tech," says NCSC CEO Lindy Cameron.

"Beyond the present challenges, we are very aware of the threats on the horizon, including rapid advancements in tech and the growing market for cyber capabilities."

In summer last year, South Staffs Water fell victim to hackers who were able to access the names and addresses of account holders, along with the sort codes and account numbers used for direct debit payments. Shortly after, a ransomware group claimed it was possible to tamper with water supplies.

And in the US, there have been a number of attacks, including the breach of a water authority near Pittsburgh which affected the water pressure in nearby towns. The attack is believed to have been carried out by hacktivists aligned with the government of Iran.