Intermediate

Security Hot Takes: The Aliquippa Water Breach

The Aliquippa Water Authority breach is a case study in how a basic, avoidable systems-integration failure — not a sophisticated exploit — can expose critical infrastructure to compromise...

Table of Contents

Module 1: The Aliquippa Water Authority OT/ICS Breach

Defining Operational Technology, ICS, and IIoT

Before analyzing the incident itself, it is worth clarifying the terminology used throughout operational technology (OT) security discussions, since the terms are often used interchangeably despite having distinct meanings.

Operational technology (OT) is the umbrella term for any technology that interacts with the physical world — that is, any system that senses and measures an environment or a process, or manipulates and changes that process in some way.

Industrial control systems (ICS) are a subset of OT. ICS provides automation for manufacturing and industrial processes: it senses and measures a process (temperature, pressure, tank level, and so on) and it can change that process (opening or closing a valve, changing pump speed, switching a heater on or off).

OT is broader than ICS alone. It also encompasses building automation systems — heating, ventilation and air conditioning (HVAC), lighting, physical access control, elevators, and similar building-management functions.

The Internet of Things (IoT) is a network of physical objects embedded with sensors, software, and networking technology that allows them to communicate and exchange data with other devices across the internet. When this concept is extended to operational technology — industrial control systems that are connected to the internet and can communicate with other devices — the result is the Industrial Internet of Things (IIoT).

mindmap
  root((Operational Technology))
    OT (broad umbrella)
      Building automation
        HVAC
        Lighting
        Access control
        Elevators
      Industrial Control Systems (ICS)
        Sensing
          Temperature
          Pressure
          Tank level
        Actuation
          Valves
          Pump speed
          Heaters
    Internet of Things (IoT)
      Embedded sensors
      Networked communication
    Industrial IoT (IIoT)
      Internet-connected ICS
      Cross-device communication
TermScopeExample
OT (Operational Technology)Broadest umbrella — any tech that senses/manipulates the physical worldBuilding HVAC, elevators, ICS
ICS (Industrial Control Systems)Subset of OT focused on industrial/manufacturing process automationPLCs controlling pumps and valves
IoT (Internet of Things)Networked physical objects with embedded sensors/softwareSmart thermostats, connected sensors
IIoT (Industrial IoT)ICS/OT devices connected to the internet and communicating with other devicesInternet-exposed PLCs, remote SCADA telemetry

What Happened at Aliquippa

Over the weekend of November 25–26 (2023), a hacktivist group calling itself Cyber Avengers gained unauthorized access to the control system of a water booster station operated by the Aliquippa Water Authority in Pennsylvania.

The devices the group accessed were programmable logic controllers (PLCs) manufactured by Unitronics, an Israeli-based company. The attackers made relatively minor changes to the system — including renaming the PLC and defacing the operator interface with anti-Israel messaging — but these changes triggered an alarm. Operators intervened and switched the system to manual operation. As a result, there was no impact on the water supply.

sequenceDiagram
    participant Attacker as Cyber Avengers
    participant Internet
    participant PLC as Unitronics PLC
    participant HMI as Operator Interface (HMI)
    participant Operator as Aliquippa Operator

    Attacker->>Internet: Scan for internet-exposed Unitronics PLCs
    Internet->>PLC: Direct connection (no firewall, no VPN)
    Attacker->>PLC: Authenticate using default credentials (admin / 1111)
    PLC-->>Attacker: Access granted
    Attacker->>PLC: Rename device to "Gaza"
    Attacker->>HMI: Deface interface with anti-Israel messaging
    PLC->>HMI: Communication/status anomaly
    HMI-->>Operator: Alarm raised
    Operator->>PLC: Switch booster station to manual operation
    Note over Operator,PLC: Water supply continuity maintained;<br/>no disruption to customers

Water Distribution Fundamentals: What Is a Booster Station?

To understand the significance of the compromised device, it helps to understand how a municipal water distribution network operates.

A water distribution network begins with a supply of water — in Aliquippa’s case, a series of wells located around the local area, drawing from underlying aquifers. Water from the wells is transferred to a water treatment station, where it is cleaned, softened, and disinfected. It is then transferred to a series of reservoirs located in high-population areas. From the reservoirs, water travels through a network of underground pipes to homes, schools, hospitals, and other end users.

Engineers try to use gravity as much as possible to move water between stages, since gravity-fed flow is free energy. The problem is that as water flows through a pipe, it loses energy and pressure drops. Water booster stations exist to solve this problem: a booster station is essentially a collection of pumps that takes low-pressure water and boosts its pressure so it can reach its final destination.

flowchart LR
    A[Wells / Aquifers] --> B[Water Treatment Station<br/>Cleaning, Softening, Disinfection]
    B --> C[Reservoirs<br/>High-population areas]
    C --> D[Booster Station<br/>Pumps restore pressure]
    D --> E[Underground Distribution Pipes]
    E --> F[Homes / Schools / Hospitals]

The Role of the Programmable Logic Controller

A programmable logic controller (PLC) is a key component of any industrial control system. It is connected to both inputs and outputs:

  • Inputs are instruments that measure and sense the process. In the Aliquippa booster station, these would include instruments measuring the flow of water through the pipes, the pressure, and the speed of the pump.
  • Outputs are components that change the system. In this case, outputs would include valves (opened or closed to control water flow) and the pump itself (its speed controlled to regulate pressure within the water main).

The link between inputs and outputs is a set of logic rules programmed into the PLC’s memory. The PLC periodically polls its inputs to take measurements, applies its logic rules, and decides whether any change to the outputs is needed to keep the process within its specified design parameters.

flowchart TD
    subgraph Inputs
        I1[Flow sensors]
        I2[Pressure sensors]
        I3[Pump speed sensors]
    end
    subgraph PLC["Programmable Logic Controller"]
        L[Logic Rules<br/>stored in memory]
        Poll[Periodic polling cycle]
    end
    subgraph Outputs
        O1[Valves — open/close]
        O2[Pump speed control]
    end
    Inputs --> Poll --> L --> Outputs
    L -.decision based on design parameters.-> Outputs

Root Cause: A Systems Integration Failure, Not a Product Vulnerability

A critical clarification made in the discussion is that this incident was not the result of a vulnerability in the Unitronics PLC itself. No exploit was used. The root cause was a systems integration issue, comprising two distinct failures:

  1. The PLCs were connected directly to the internet — with no firewall, no VPN, and no monitoring in place.
  2. The default password was never changed from the manufacturer’s default of 1111 (with a default username of admin).

Together, these two gaps meant that any attacker capable of locating the device on the internet — for example, through a simple search — could authenticate to it using publicly known default credentials.

flowchart TD
    A[Unitronics PLC deployed] --> B{Connected directly<br/>to the internet?}
    B -- Yes, no firewall/VPN --> C[Device reachable from anywhere]
    A --> D{Default credentials<br/>changed?}
    D -- No, admin/1111 retained --> E[Trivial authentication]
    C --> F[Full remote access to control system]
    E --> F
    F --> G[Attacker can rename device,<br/>deface HMI, or manipulate outputs]

Why Legacy ICS Still Ships With Weak Security Defaults

A recurring theme in ICS/OT security is that many industrial control systems were installed at a time when cyber risk simply wasn’t a consideration for system integrators, so controls like firewalls, VPNs, and credential rotation were not built into deployment practices.

This is compounded by a resource-allocation problem faced by small utilities. The Aliquippa Water Authority serves fewer than 7,000 customers, yet is responsible for maintaining over 80 miles of water main, roughly 900 isolation valves, and 450 fire hydrants — much of it aging infrastructure. When an organization of this size has to prioritize investment, the choice is often framed as: invest in maintaining and repairing physical infrastructure to keep water flowing, or invest in cybersecurity controls against a threat that historically wasn’t seen as credible. Few utility operators of this scale would have anticipated that a small regional water authority could become a target of a nation-state-linked hacktivist campaign — until it happened.

flowchart TD
    A[Small municipal utility<br/>fewer than 7,000 customers] --> B[Limited capital budget]
    B --> C{Where to invest?}
    C -->|Physical infrastructure| D[Maintain 80+ miles of water main,<br/>~900 isolation valves, 450 hydrants]
    C -->|Cybersecurity controls| E[Firewalls, VPN, MFA,<br/>credential management]
    D --> F[Perceived as immediate operational necessity]
    E --> G[Historically perceived as low-probability risk]
    F -.often wins budget priority.-> H[Aging physical assets maintained,<br/>OT security controls deferred]
    G -.-> H

Threat Actor Profile: Cyber Avengers

The group behind the intrusion, Cyber Avengers, is described as an Iran-backed hacktivist group well known for targeting facilities within the state of Israel. Since the outbreak of regional conflict, the scope of their targeting has broadened to include:

  • Countries that support Israel.
  • Organizations that use equipment manufactured by Israeli companies — which is precisely why a Unitronics PLC (an Israeli-made product) deployed at a Pennsylvania water utility became a target, despite having no direct connection to Israel itself.

Evidence of the group’s motivation and attribution in this incident came from the changes they made once inside the system: they renamed the PLCs to “Gaza” and defaced the operator interface with anti-Israel messaging, rather than attempting to disrupt the actual water supply process.

mindmap
  root((Cyber Avengers))
    Attribution
      Iran-backed hacktivist group
      Historically targets Israel-based facilities
    Expanded targeting after regional conflict
      Countries supporting Israel
      Organizations using Israeli-manufactured equipment
    Evidence from Aliquippa intrusion
      PLC renamed "Gaza"
      Anti-Israel messaging on HMI
      No attempt to disrupt water supply directly

What Could Have Happened: The Worst-Case Scenario

In this incident, the impact was limited to a defaced interface and a renamed device — the actual water supply was never disrupted. However, considering the worst-case scenario is instructive for risk assessment purposes.

Had the hacktivists chosen to actively manipulate the process — for example, by closing valves or switching off the pump — the result would have been a temporary loss of water supply. Critically, this would still have triggered alarms, and operators would have been able to switch to manual operation and restore supply relatively quickly. The underlying safety and alarm systems built into the process would have limited the severity and duration of any disruption.

Safety Engineering Backstop: The Layers of Protection Model

When evaluating potential consequences of a cyberattack against OT, it is not sufficient to look only at cybersecurity controls (firewalls, credentials, monitoring). OT environments are designed with safety in mind from the outset, and a common model used in safety engineering — the layers of protection model — helps explain why a cyberattack on a control system does not automatically translate into a catastrophic physical outcome.

The layers, from the innermost (normal operation) outward, are:

  1. Process Control Layer — Represents normal operations. A basic process control system maintains a process value at a set point (for example, keeping a chemical reactor’s temperature at 135°F). Minor variations are automatically corrected: the controller increases cooling water flow if temperature rises above the set point, and decreases it if temperature falls below.
  2. Alarm and Operator Intervention Layer — If the process value drifts beyond the upper or lower limits of the acceptable range (high/low alarm thresholds), an alarm is raised. This can trigger an automatic shutdown or prompt manual operator intervention.
  3. Safety Instrumented Systems (SIS) Layer — If the process value cannot be brought back under control and continues to drift (e.g., temperature continues to rise), independent safety instrumented systems activate. These are high-reliability systems, completely independent from the basic control system, rigorously designed to handle a wide range of emergency scenarios.
  4. Accident Mitigation Layers — Because not every accident scenario can be anticipated at the design stage, three additional layers exist beyond prevention, focused purely on mitigating harm to workers, the public, and the environment once an accident has already occurred.
flowchart TD
    L1["Layer 1: Process Control<br/>Maintains set point (e.g., 135°F)"] --> L2
    L2["Layer 2: Alarms & Operator Intervention<br/>High/low threshold breach → automatic shutdown or manual action"] --> L3
    L3["Layer 3: Safety Instrumented Systems (SIS)<br/>Independent, high-reliability emergency response"] --> L4
    L4["Layers 4-6: Accident Mitigation<br/>Minimize harm to workers, public, and environment"]

    style L1 fill:#d4f4dd
    style L2 fill:#fff3cd
    style L3 fill:#f8d7da
    style L4 fill:#e2d5f0
LayerPurposeIndependence
Process ControlMaintains normal operating set point automaticallyPart of the basic control system
Alarms / Operator InterventionFlags out-of-range conditions; triggers automatic shutdown or manual responseUses control-system alarm logic
Safety Instrumented System (SIS)Handles emergency conditions the control layer cannot resolveFully independent of the control system
Accident Mitigation (3 layers)Minimizes harm to workers, the public, and the environment once an accident occursIndependent physical/procedural safeguards

Applying the Layers of Protection Model to the Aliquippa Incident

Mapping the actual incident onto this model: a process alarm was raised at the very first layer of protection, and an operator intervened once that alarm sounded.

Because water supply continuity was maintained throughout the incident, it is unlikely that the alarm was a pressure-drop alarm or a “pump switched off” alarm — those would imply an actual interruption to the process. It is more plausible that the alarm was a communications alarm: if the PLC’s name had been changed by the attackers, that could plausibly have disrupted expected communications between devices in the control system, triggering the alert operators responded to.

The key reassurance from this analysis is that even when an attacker gains unauthorized remote access to an OT device, the layered safety architecture underneath the control system — independent of the compromised device itself — provides a meaningful backstop against physical consequences.

Scale of the Exposure: Shodan Findings

Shortly after the Aliquippa Water Authority breach became public, a search using Shodan (a search engine for internet-connected devices) found approximately 1,800 Unitronics PLCs connected directly to the internet. About a week later, that number had dropped to approximately 1,600 — suggesting that some operators, having heard the news, took steps to isolate their devices from direct internet exposure. That is a positive trend, but it still left a substantial number of devices exposed.

Point in TimeUnitronics PLCs Found Exposed on Shodan
Shortly after the breach became public~1,800
~1 week later~1,600
flowchart LR
    A["Breach becomes public knowledge"] --> B["Shodan scan: ~1,800 exposed<br/>Unitronics PLCs found"]
    B --> C["~1 week passes<br/>Some operators take remediation action"]
    C --> D["Follow-up scan: ~1,600 exposed<br/>Unitronics PLCs found"]
    D --> E["~200 devices remediated,<br/>~1,600 still exposed"]

Recommendations for OT/ICS Operators

The discussion closes with a set of practical, low-friction recommendations for any organization operating OT or ICS equipment — none of which require significant capital investment, and all of which directly address the root causes identified in the Aliquippa incident.

RecommendationRationale
Never connect OT/ICS devices directly to the internetRemoves the primary attack surface that made the Aliquippa PLCs reachable at all
Deploy a firewall in front of OT/ICS networksAllows rules restricting access to trusted IP addresses only
Implement a VPN for any required remote accessEnsures remote connections are authenticated and encrypted rather than exposed directly
Enforce multi-factor authentication (MFA) on VPN accessSignificantly raises the bar against credential-based compromise
Change all default manufacturer passwords immediately upon deploymentEliminates the single largest enabler of this specific breach (default admin / 1111)
Follow standard password hygiene practicesReduces the risk of brute-force or credential-guessing attacks even after defaults are changed
Maintain an inventory of internet-facing OT assets (e.g., via Shodan-style scanning)Enables an organization to know its own exposure before an attacker finds it first
Treat OT safety layers (alarms, SIS) as a complementary — not a substitute — defenseEnsures physical safety backstops remain intact even if cyber controls are bypassed
flowchart TD
    Start([OT/ICS Security Baseline]) --> A{Is the device<br/>internet-facing?}
    A -- Yes --> B[Remove direct exposure:<br/>place behind firewall/VPN]
    A -- No --> C[Verify network segmentation<br/>is actually enforced]
    B --> D{Default credentials<br/>still in use?}
    C --> D
    D -- Yes --> E[Change credentials immediately;<br/>apply password hygiene policy]
    D -- No --> F[Enable MFA on remote access]
    E --> F
    F --> G[Maintain ongoing internet-exposure<br/>inventory / external scanning]
    G --> H[Validate independent safety layers<br/>(alarms, SIS) remain intact]
    H --> End([Reduced OT attack surface,<br/>preserved safety backstop])

Summary

The Aliquippa Water Authority breach is a case study in how a basic, avoidable systems-integration failure — not a sophisticated exploit — can expose critical infrastructure to compromise by a geopolitically motivated threat actor. Over a November weekend, the Iran-linked hacktivist group Cyber Avengers accessed internet-exposed Unitronics PLCs (chosen specifically because Unitronics is an Israeli manufacturer) at a Pennsylvania water booster station, using nothing more advanced than the device’s unchanged default credentials (admin / 1111). The attackers defaced the operator interface and renamed the PLC to “Gaza,” triggering an alarm that allowed operators to switch to manual control before any disruption to the water supply occurred.

The incident illustrates several durable lessons for OT/ICS security:

  • Attack surface, not sophistication, is often the deciding factor. No vulnerability was exploited — only a device reachable directly from the internet with a manufacturer default password.
  • Geopolitical targeting increasingly extends to equipment origin, not just organizational affiliation. A small US water utility became a target purely because of the nationality of its equipment vendor.
  • Small and under-resourced operators are not “too small to be a target.” A utility serving fewer than 7,000 customers, competing for budget between aging physical infrastructure and cybersecurity investment, was targeted by a nation-state-linked group.
  • Safety engineering is a legitimate complementary control to cybersecurity. The layers of protection model (process control → alarms/operator intervention → safety instrumented systems → accident mitigation layers) meant that even a successful intrusion did not translate into a loss of water supply.
  • Exposure at scale is measurable and persistent. Shodan searches found roughly 1,800 internet-exposed Unitronics PLCs immediately after the breach, dropping only to around 1,600 a week later — most affected organizations still had not remediated their exposure even after public disclosure.

Defensive / Mitigation Checklist

  • Never connect OT/ICS devices (PLCs, RTUs, HMIs) directly to the public internet.
  • Place all OT/ICS assets behind a properly configured firewall with IP allow-listing.
  • Require a VPN for any remote access into OT/ICS environments.
  • Enforce multi-factor authentication (MFA) on all remote access, including VPNs.
  • Change every manufacturer default password immediately at deployment — never leave defaults like admin/1111 in place.
  • Apply standard password hygiene (length, complexity, rotation) to all OT accounts.
  • Regularly scan your own external footprint (e.g., using Shodan or similar tools) to discover unintentionally exposed OT devices.
  • Treat independent safety layers (alarms, safety instrumented systems, physical mitigation) as essential complements to — not replacements for — cybersecurity controls.
  • Assume that organizational size or perceived insignificance is not protection against nation-state-linked or hacktivist targeting, particularly where equipment origin or vendor nationality is politically salient.
  • Build an incident response plan for OT/ICS specifically, including a clear path to manual operation when automated systems are compromised.

Search Terms

security · hot · takes · aliquippa · water · breach · threat · intel · networking · systems · ics · happened · layers · model · protection

More Security Hot Takes & Threat Intel courses

View all 21

Interested in this course?

Contact us to book it or get a custom training plan for your team.