CISA’s response to Iran hacking control systems in US critical infrastructures is inadequate

Iran is in an undeclared war, including cyber war, against the U.S. and our critical infrastructures. Dec. 1, 2023, CISA, FBI, EPA, NSA and the Israel National Cyber Directorate (INCD) issued the following alert: “IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities.”

The Iranian Government Islamic Revolutionary Guard Corps (IRGC) is a nation-state with associated capabilities, not just some hackers who support a cause. The picture of the hack of Full Pint Brewery should remove all doubt that Iran is directly behind state-sponsored hacking of U.S. critical infrastructures. The Unitronics incidents are cyberattacks on control systems, in this case PLCs, not IP networks or equipment. PLCs are used for operation, not to hold customer information. Because IRGC got to the PLC, they can compromise the near- or long-term operation of any targeted system.
Iran has PLCs (think about Stuxnet as that was an attack against Siemens PLCs) in their nuclear, manufacturing and oil/gas industries and is familiar with the operation of PLCs. The Nov. 25 IRGC cyberattack of the Municipal Water Authority of Aliquippa brings several interesting wrinkles to cyber war. The IRGC targeted the control system equipment, in this case Israeli-made Unitronics PLCs, not the end-users such as Aliquippa or Full Pint. Consequently, this is a nation-state supply chain attack against U.S. critical infrastructure, not any single end-user or sector.

However, this supply chain attack is not the usual software compromise that can be addressed by a Software Bill of Materials, but design weaknesses in control systems that are not unique to Unitronics. Recall, Stuxnet compromised Siemens PLCs to cause damage to the centrifuges and Triconix controllers were compromised by the Russians in an attempt to blow up a Saudi Arabian petrochemical plant. It is evident the Dec. 1 alert does not address PLC-unique issues identified from the Unitronics incidents or other previous PLC attacks. 


Unitronics is a control system/automation supplier. From the Unitronics website, the company was founded in 1989 with installations in automated parking systems,…