An Iranian hacking group targeted the water system of a small Pennsylvania town over the Thanksgiving weekend, in what may have been a test case targeting widely-used industrial control systems (ICSs).
On Saturday, November 25, the Municipal Water Authority of Aliquippa (PA) announced that one of their booster stations was hacked by the Iranian group Cyber Av3ngers. The group targeted and infiltrated one of the station’s Unitronics programmable logic controllers (PLCs), which are responsible for monitoring water pressure for customers in Aliquippa, as well as Raccoon and Potter Townships. According Matthew Mottes, the chairman of the board of directors for the Municipal Water Authority of Aliquippa, despite the Iranian group’s successful hacking, there is not believed to be any impact on the safety of drinking water in the affected areas.
This hack comes in the middle of an ongoing war where Israel is up against Hamas and other Iranian proxies in the Middle East. Cyber Av3ngers has claimed to have successfully hacked 10 similar water systems in Israel as of October 30. The Unitronics system hacked in Pennsylvania is headquartered in Israel, which is likely a reason for the group targeting a system physically located in the United States. Congressman Chris Deluzio of Pennsylvania’s 17th congressional district said he is “closely monitoring” the cyberattack. The Facebook post below makes it clear that Cyber Av3ngers considers “every equipment” made in Israel as a target of the group.
While the majority of cyber-attacks are focused on financial gain in the form of ransomware, the affected booster station does not contain any personal or proprietary information. Rather it is designed to operate automatically. Apparently, the hackers “wanted” to be found, and may have been infiltrating this system to simply see how the Municipal Water Authority reacted to being hacked. This is similar to some financial hacking schemes where criminals will make an initial withdrawal from an account of a few cents, and if that goes unnoticed, they will make a larger withdrawal hoping to not raise any alarms.
The cyberattack does not appear to be specifically focused on water systems, as Unitronics provides control systems to a variety of critical infrastructure, not just water. Based on Cyber Av3ngers’ track record and open hatred of Israel, it is likely they will continue to target control systems in the U.S. and elsewhere that rely on Unitronics’ technology.
According to a November 27 Shodan search, there are more than 220 Unitronics systems in the U.S. and over 1,800 worldwide. Thus there are plenty of systems for Cyber Av3ngers to target, and the Iranian group has proven indiscriminate when it comes to choosing targets.
To prevent further attacks, the American Water Works Association (AWWA) has been pushing for “infrastructure funding and finance mechanisms” to enhance U.S. water infrastructure for years due to its age and insufficient funding. AWWA has also called for policies “that advance physical and cybersecurity in effective ways while securing information about potential vulnerabilities.”
As the Center for Security Policy’s Secure the Grid Coalition has noted, local governments and emergency planners will have to be the ones making improvements to critical pieces of the United States’ critical infrastructure. The Coalition has been sounding the alarm on inadequate physical security of electric grid infrastructure for years. The U.S. electrical system, while still lacking a variety of safeguards, does have better cybersecurity standards than the water system, but this recent attack in Pennsylvania shows that control systems for critical infrastructure of all kinds remain vulnerable.
This recent attack in Pennsylvania further proves that proactive measures must be taken at all levels of government, especially locally, in order to protect services that millions of Americans rely upon daily.
EDITORS NOTE: This Center for Security Policy column is republished with permission. ©2023. All rights reserved.