The Unitronics PLC hack is an Iranian IRGC supply chain attack against multiple US critical infrastructures on US soil (it has also affected international users) targeting the Israeli-made Unitronics PLCs through its customers. The CISA response has been less than satisfactory as this was an attack against the PLCs whereas CISA’s recommendations only addressed IT issues. The absence of discussions about the PLCs ignores the fact that the defacements could be a way to “hide” the more sinister part of the attack against the PLC logic. Stuxnet was an attack against the PLCs in the centrifuges in Iran. Is this retribution? The IRGC attack vector is not unique to Unitronics, nor to the water and wastewater sector. If, as SANS has stated, default passwords are security weaknesses, almost every IT, OT, and control system vendor is guilty of providing products with known security weaknesses. Since Unitronics PLCs are so widely used, both in the US and internationally, these inappropriate Unitronics CISA Alerts and CVEs are putting US critical infrastructures at risk.
