Water damage: Censys finds 149 internet-exposed Unitronics devices

The water tank might be half empty, depending on how you view one company’s internet scan for industrial controllers.

Researchers from the threat-management platform Censys discovered 149 internet-accessible devices from the Israel-based automation manufacturer Unitronics.

The 149 programmable logic controllers (PLCs), which use sensors and data processing to support automation in facilities like water plants, manufacturing environments, and food-processing centers, have exposed remote-access protocols and web control panels, according to the company’s Feb. 8 report.

The discovery is concerning to some industry experts, given recent cyberattacks on water facilities—the kind that strikes many unprepared teams and can begin with a similar PLC find.

“I do think there is a skills and resource gap within the critical infrastructure communities, I think we have folks who are on the ground doing this work, dealing with operational technology, who maybe don’t have the expertise to necessarily know how to best harden and defend the systems that they’re running, because that’s really never been their responsibility,” Emily Austin, senior researcher and security research manager at Censys, told IT Brew.

The Censys census follows a compromise of a Pennsylvania water-facility’s Unitronics PLC/display combo. Hackers known as the Cyber Av3ngers took over a monitoring system and defaced the OT device’s screen with an anti-Israel message.

The good news:

• Honeypots. Researchers are leaving some devices exposed on purpose, to gather intelligence on who’s taking the bait. (Censys said it suspects that only 32% of the found Unitronics PLCs are “real devices.”)
• Exposure. Even if a found device is compromised, facilities can still detect the hack. With OT environments, if an internet-connected device fails, a process stops, which frequently triggers an alarm, Jim McKenney, practice director of industrial and operational technologies at the cybersecurity consulting company NCC group, said. An important security measure: making sure someone is listening for the alerts. “This is why we call it operational technology, because it takes an operator,” McKenney told IT Brew.

The bad news:

• A compromise to a PLC can lead to more than just a defaced screen, especially if a device is dual-homing, meaning a device connects to multiple domains, like an internal network. “An attacker that compromises that device can actually leverage that device in order to get into more in-depth regions of that network,” Amir Preminger, VP of research at the cybersecurity company Claroty, told IT Brew.
• On Feb. 6, a Subcommittee on Cybersecurity and Infrastructure Protection held a hearing to discuss securing operational technology in the water sector. Committee Chairman Andrew Garbarino opened the session saying, “Many OT systems rely on legacy equipment that owners and operators may not have the capacity to secure in the same way as traditional IT.”

To help owners and operators study up on security, CISA, the FBI, and the EPA recently developed an incident response guide for water and wastewater systems (WWS) facilities.

As infrastructure attacks emerge and CISA officials warn that the WWS sector is “under constant threat from malicious cyber actors,” OT pros still have to open the playbook. Censys said it notified over 20 organizations of their exposure risk.

“We’ve spent some time over the last few weeks notifying as many of these organizations as we could reliably identify. And we heard back from a few of them who were really grateful, but then the rest of those notifications have been met with silence,” Austin said.