The UK’s security agency has urged the nation’s water sector to apply best practice security measures after a US operator was breached via its industrial control systems.
The US Cybersecurity and Infrastructure Security Agency (CISA) revealed earlier this week that an unnamed facility had been taken offline and switched to manual operation after its Unitronics programmable logic controllers (PLCs) were compromised.
The UK’s National Cyber Security Centre (NCSC) played down the immediate seriousness of the threat to the country’s providers, but urged caution.
“The exploitation is of limited sophistication, and is highly unlikely to cause any disruption to the routine supply of water,” it explained in a statement on the incident.
“There is a very low potential risk, if the threat is unmitigated, to some small suppliers. As such, the NCSC is encouraging organizations using Unitronics PLCs to follow the steps outlined in CISA cyber security advisory.”
That advisory recommended the following:
- Change all default passwords on PLCs and human machine interfaces (HMIs) and use a strong password
- Mandate multi-factor authentication (MFA) for all remote access to the operational technology (OT) network
- Disconnect the PLC from the public internet and implement a firewall/VPN in front of the PLC to control network access
- Use an allowlist of IPs for access to the PLC
- Backup the logic and configurations on any Unitronics PLCs to enable fast recovery, and get familiar with factory reset process in the event of ransomware
- Use a TCP port different from the default port (TCP 20256)
- Update Unitronics PLCs/HMIs to the latest version
The NCSC has previously highlighted a “significant and enduring” threat to critical infrastructure operators like water companies, according to director for national resilience and future technology, Jonathon Ellison.
“Our US counterparts, CISA, have issued an advisory outlining a threat against the water sector,” he added. “We are notifying UK providers of this threat, and recommend they protect consumers by following the mitigation advice set out by CISA.”