The UK's National Cyber Security Centre (NCSC) has warned of the active exploitation of Unitronics programmable logic controllers (PLCs), used extensively across the water sector.
The statement follows a similar alert from the US Cybersecurity & Infrastructure Security Agency (CISA) earlier this week, with the NCSC recommending that organizations should follow its guidance.
"The NCSC has warned for some time of the enduring threat to the UK’s critical national infrastructure," says Jonathon Ellison, NCSC director for national resilience and future technology.
"Our US counterparts, CISA, have issued an advisory outlining a threat against the water sector. We are notifying UK providers of this threat, and recommend they protect consumers by following the mitigation advice set out by CISA."
Water and waste water facilities use PLCs to control and monitor various processes, including turning on and off pumps to fill tanks and reservoirs, flow pacing chemicals to meet regulations, gathering compliance data for monthly regulation reports, and announcing critical alarms to operations.
While the NCSC says that the exploitation is of ‘limited sophistication’ and is highly unlikely to cause any disruption to water supplies, there is a potential risk to some small suppliers.
The CISA advisory follows an attack on an unidentified US water facility, in which the attackers appear to have accessed the affected device — a Unitronics Vision Series PLC with a Human Machine Interface (HMI) — by exploiting poor password security and exposure to the internet.
The facility, says CISA, immediately took the system offline and switched to manual operations, meaning that there was no known risk to the drinking water or water supply.
But to prevent other attacks, it says, users should change all default passwords on PLCs and HMIs, require multifactor authentication for all remote access, including from the IT network and external networks, and disconnect the PLC from the open internet.
RELATED RESOURCE
Want a better CASB and stronger DLP? Starts with the right foundation.
They should also back up the logic and configurations on any Unitronics PLCs to enable fast recovery, where possible utilize a TCP port other than the default TCP 20256 port and update PLC/HMI to the latest version.
The alert follows a recent NCSC report that warned that the UK’s critical sectors, including the water industry, are facing an 'enduring and significant’ threat.
"The last year has seen a significant evolution in the cyber threat to the UK – not least because of Russia’s ongoing invasion of Ukraine but also from the availability and capability of emerging tech," says NCSC CEO Lindy Cameron.
"Beyond the present challenges, we are very aware of the threats on the horizon, including rapid advancements in tech and the growing market for cyber capabilities."
In summer last year, South Staffs Water fell victim to hackers who were able to access the names and addresses of account holders, along with the sort codes and account numbers used for direct debit payments. Shortly after, a ransomware group claimed it was possible to tamper with water supplies.
And in the US, there have been a number of attacks, including the breach of a water authority near Pittsburgh which affected the water pressure in nearby towns. The attack is believed to have been carried out by hacktivists aligned with the government of Iran.
-
What does modern security success look like for financial services?Sponsored As financial institutions grapple with evolving cyber threats, intensifying regulations, and the limitations of ageing IT infrastructure, the need for a resilient and forward-thinking security strategy has never been greater
-
Yes, legal AI. But what can you actually do with it? Let’s take a look…Sponsored Legal AI is a knowledge multiplier that can accelerate research, sharpen insights, and organize information, provided legal teams have confidence in its transparent and auditable application
-
Government urges large enterprises to shore up defenses as NCSC warns UK faces four 'nationally significant' cyber attacks every weekNews UK enterprises of all sizes face escalating cybersecurity threats, ministers have warned
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
‘States don’t do hacking for fun’: NCSC expert urges businesses to follow geopolitics as defensive strategyNews Paul Chichester, director of operations at the UK’s National Cyber Security Centre, urged businesses to keep closer tabs on geopolitical events to gauge potential cyber threats.
-
Cyber attacks have rocked UK retailers – here's how you can stay safeNews Following recent attacks on retailers, the NCSC urges other firms to make sure they don't fall victim too
-
Five Eyes cyber agencies issue guidance on edge device vulnerabilitiesNews Cybersecurity agencies including the NCSC and CISA have issued fresh guidance on edge device security.
-
"Thinly spread": Questions raised over UK government’s latest cyber funding schemeThe funding will go towards bolstering cyber skills, though some industry experts have questioned the size of the price tag
-
State-sponsored cyber crime is officially out of controlNews North Korea is the most prolific attacker, but Russia and China account for the most disruptive and tightly-targeted campaigns
-
Modern enterprise cybersecuritywhitepaper Cultivating resilience with reduced detection and response times
