This Alert is relevant to Australians who use Unitronics PLCs in their environments which may not have applied appropriate cyber security practices and have the devices exposed to the internet.
Background / What has happened?
- There are confirmed reports of exploitation globally against Internet-exposed PLCs in critical sectors, notably water and waste management.
- Threat actors appear to be targeting Unitronics Vision Series PLCs since 22 November.
- Threat actors have likely used default-passwords to gain access to potentially critical systems and perform defacement, although the access they have obtained enables them to reconfigure the device.
- This example continues to highlight the risk of Internet-exposed Industrial Control Systems (ICS) and the access to potentially sensitive and critical systems they can provide.
- Additional Information can be found in advisories published by our partners:
- IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities | CISA
- NCSC statement following exploitation of Unitronics programmable logic controllers
- Exploitation of Unitronics programmable logic controllers - Canadian Centre for Cyber Security
Mitigation / How do I stay secure?
These mitigations apply to all internet-facing PLCs, not just Unitronics.
Immediate steps to prevent attack:
- Change all default passwords on PLCs and HMIs and use a strong password. Ensure the Unitronics PLC default password is not in use.
- Disconnect the PLC from the public-facing internet or filter access to known internet endpoints that require access.
Follow-on steps to strengthen your security posture:
- Implement multifactor authentication for access to the operational technology (OT) network whenever applicable.
- If you require remote access, implement a firewall and/or virtual private network (VPN) in front of the PLC to control network access. A VPN or gateway device can enable multifactor authentication for remote access even if the PLC does not support multifactor authentication.
- Create strong backups of the logic and configurations of PLCs to enable fast recovery. Familiarise yourself with factory resets and backup deployment as preparation in the event of ransomware activity.
- Keep your Unitronics and other PLC devices updated with the latest versions by the manufacturer.
- Confirm third-party vendors are applying the above-recommended countermeasures to mitigate exposure of these devices and all installed equipment.
Assistance / Where can I go for help?
Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371).