Many of you may have heard about the December 2023 Unitronics programmable logic controllers (PLCs) hack by the Iranian backed hacktivist group “CyberAv3ngers” or have read the Colorado Information Analysis Center (CIAC) Situational Awareness bulletin. The hackers targeted water and wastewater utilities and other industries using the Unitronics PLCs, freezing the units and posting the message pictured below:
Colorado Information Analysis Center (CIAC) Situational Awareness bulletin 23-26340
A water facility in Aliquippa, PA with a unitronics PLC was targeted in late November 2023, forcing the system to operate in manual mode. So, how can you protect yourself from cyber attacks like this? Some easy steps to take include:
- Change the password from the factory default password. In the case of the Unitronics PLC hack, some of the default passwords consisting of “1111” were still in use.
- Disconnect the PLC from the internet. If remote access is needed, use a firewall/VPN with multi factor authentication.
- Backup the logic and configuration of any PLCs in case you need to reset them.
- Keep your software updated with the latest version from the vendor.
Action to take if your system experiences a Cyberattack
The department has created a guidance document to help drinking water systems respond and report Cyberattacks. Here are some highlights of actions to take if you experience a cyberattack at your facility:
- Notify the department as soon as possible (contact info below), but no later than 10 a.m. of the calendar day following any cybersecurity event (see regulation 11 for details).
- Disconnect (e.g. unplug) compromised computers from the network. Do not turn off or reboot systems.
- Assess the scope of the compromise and isolate all affected IT systems.
- Connect with your antivirus software customer care team or security service vendor.
- Assess any potential damage, including impacts to treatment processes or service disruptions.
- Initiate manual operation of equipment if control systems have been compromised.
- Distribute any advisories or alerts to customers as needed, including customers whose records may have been compromised.
- Identify methods to scan all IT assets to eradicate malicious code. Assess and implement recovery procedures.
- Assess the status of assets: valves, pumps, tanks, water, and chemical flows.
Incident Reporting - Reg 11 Requirements
Per Regulation 11.2(1), tampering events, suspected tampering, or receipt of a tampering threat must be reported to the Colorado Department of Public Health and Environment (department). The supplier must notify the department as soon as possible but no later than 10 a.m. of the next calendar day and notify the department in writing no later than 5 days after any attempted, confirmed, or suspected tampering, or receipt of a tampering threat. Failure to report attempted, suspected, or confirmed tampering in a timely manner may result in a violation of Regulation 11. Please refer to the department’s Guidance: Report and Respond to Tampering Events or Security Threats for more information on the required information. For ease of reporting, the department has created the Tampering Threat and Incident Report Form. If you have issues accessing the form please fill out the pdf version of the form and submit it to cdphe.wqacutes@state.co.us. Please refer to the recent CDPHE Aqua Talk article for more information on security event reporting requirements and the department’s role in helping you protect public health during a security breach.
Incident Reporting - Partnering Institutions
Please note, when you report a cybersecurity incident to the CDPHE, the department will report the incident to the below federal parties on your behalf:
- Colorado local FBI Field Office,
- Cyber Watch (CyWatch) at (855) 292-3937 or CyWatch@fbi.gov
- The Internet Crime Complaint Center (IC3).
- CISA at report@cisa.gov or (888) 282-0870
- WaterISAC encourages members to share information by emailing analyst@waterisac.org, calling 866-H2O-ISAC, or using the online incident reporting form.
The Colorado Department of Public Health and Environment’s (department) Water Quality Control Division is sending out the below notification as have state and federal water security partners, including the Water Information Sharing & Analysis Center, Colorado Department of Homeland Security and Emergency Management, and the Cybersecurity and Infrastructure Security Agency (CISA).
Resources
- CISA’s free Cyber Vulnerability Scanning (VS) services
- CDPHE water/wastewater security toolbox
➽ Heather Young, PE, CWP, Field Services Section Manager
➽ Kyra Gregory, Drinking Water Training Specialist