{
	"id": "fb70967f-4837-4853-af65-bcb23ad9e5c9",
	"created_at": "2026-04-06T00:19:55.576781Z",
	"updated_at": "2026-04-10T03:21:47.284657Z",
	"deleted_at": null,
	"sha1_hash": "3eddabf6156be073bf22bc28497e667462ae06ee",
	"title": "Exploitation of Unitronics PLCs used in Water and Wastewater Systems | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49222,
	"plain_text": "Exploitation of Unitronics PLCs used in Water and Wastewater\r\nSystems | CISA\r\nPublished: 2023-11-28 · Archived: 2026-04-05 15:53:18 UTC\r\nCISA is responding to active exploitation of Unitronics programmable logic controllers (PLCs) used in the\r\nWater and Wastewater Systems (WWS) Sector. Cyber threat actors are targeting PLCs associated with WWS\r\nfacilities, including an identified Unitronics PLC, at a U.S. water facility. In response, the affected municipality’s\r\nwater authority immediately took the system offline and switched to manual operations—there is no known risk to\r\nthe municipality’s drinking water or water supply.\r\nWWS Sector facilities use PLCs to control and monitor various stages and processes of water and wastewater\r\ntreatment, including turning on and off pumps at a pump station to fill tanks and reservoirs, flow pacing chemicals\r\nto meet regulations, gathering compliance data for monthly regulation reports, and announcing critical alarms to\r\noperations. \r\nAttempts to compromise WWS integrity via unauthorized access threaten the ability of WWS facilities to provide\r\nclean, potable water to, and effectively manage the wastewater of, their communities.\r\nThe cyber threat actors likely accessed the affected device—a Unitronics Vision Series PLC with a Human\r\nMachine Interface (HMI)—by exploiting cybersecurity weaknesses, including poor password security and\r\nexposure to the internet. To secure WWS facilities against this threat, CISA urges organizations to:\r\nChange all default passwords on PLCs and HMIs and use a strong password. Ensure the Unitronics PLC\r\ndefault password “1111” is not in use. \r\nRequire multifactor authentication for all remote access to the OT network, including from the IT network\r\nand external networks.\r\nDisconnect the PLC from the open internet. If remote access is necessary, control network access to the\r\nPLC.   \r\nImplement a Firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN\r\nor gateway device can enable multifactor authentication for remote access even if the PLC does not\r\nsupport multifactor authentication. Unitronics also has a secure cellular based longhaul transport\r\ndevice that is secure to their cloud services. \r\nUse an allowlist of IPs for access. \r\nBack up the logic and configurations on any Unitronics PLCs to enable fast recovery. Become familiar\r\nwith the process for factory resetting and deploying configurations to a device in the event of being hit by\r\nransomware.\r\nIf possible, utilize a TCP port that is different than the default port TCP 20256. Cyber actors are actively\r\ntargeting TCP 20256 after identifying it through network probing as a port associated to Unitronics PLC.\r\nOnce identified, they leverage scripts specific to PCOM/TCP to query and validate the system, allowing for\r\nfurther probing and connection. If available, use PCOM/TCP filters to parse out the packets.\r\nUpdated Dec. 19, 2023: \r\nhttps://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems\r\nPage 1 of 2\n\nUpdate PLC/HMI to the latest version provided by Unitronics .\r\nSee Unitronics Cybersecurity Advisory 2023-001 for more information.\r\nSee joint Cybersecurity Advisory, IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors,\r\nIncluding U.S. Water and Wastewater Systems Facilities (published Dec. 1, 2023) for additional\r\ntechnical information and mitigations.\r\nSee CISA's Secure by Design Alert: How Manufacturers Can Protect Customers by Eliminating\r\nDefault Passwords.\r\nCISA and WWS Sector partners have developed numerous tools and resources that water utilities can use to\r\nincrease their cybersecurity. Please visit:\r\nCISA: Water and Wastewater Cybersecurity\r\nEPA: Cybersecurity for the Water Sector\r\nWaterISAC: Resource Center\r\nAmerican Water Works Association: Cybersecurity and Guidance\r\nReport\r\nOrganizations can also report anomalous cyber activity and/or cyber incidents 24/7 to report@cisa.gov  or by\r\ncalling 1-844-Say-CISA (1-844-729-2472), or your local FBI field office. \r\nSource: https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems\r\nhttps://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems"
	],
	"report_names": [
		"exploitation-unitronics-plcs-used-water-and-wastewater-systems"
	],
	"threat_actors": [],
	"ts_created_at": 1775434795,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3eddabf6156be073bf22bc28497e667462ae06ee.pdf",
		"text": "https://archive.orkl.eu/3eddabf6156be073bf22bc28497e667462ae06ee.txt",
		"img": "https://archive.orkl.eu/3eddabf6156be073bf22bc28497e667462ae06ee.jpg"
	}
}