Table of Contents
- Module 1: The Aliquippa Water Authority OT/ICS Breach
- Defining Operational Technology, ICS, and IIoT
- What Happened at Aliquippa
- Water Distribution Fundamentals: What Is a Booster Station?
- The Role of the Programmable Logic Controller
- Root Cause: A Systems Integration Failure, Not a Product Vulnerability
- Why Legacy ICS Still Ships With Weak Security Defaults
- Threat Actor Profile: Cyber Avengers
- What Could Have Happened: The Worst-Case Scenario
- Safety Engineering Backstop: The Layers of Protection Model
- Applying the Layers of Protection Model to the Aliquippa Incident
- Scale of the Exposure: Shodan Findings
- Recommendations for OT/ICS Operators
- Summary
Module 1: The Aliquippa Water Authority OT/ICS Breach
Defining Operational Technology, ICS, and IIoT
Before analyzing the incident itself, it is worth clarifying the terminology used throughout operational technology (OT) security discussions, since the terms are often used interchangeably despite having distinct meanings.
Operational technology (OT) is the umbrella term for any technology that interacts with the physical world — that is, any system that senses and measures an environment or a process, or manipulates and changes that process in some way.
Industrial control systems (ICS) are a subset of OT. ICS provides automation for manufacturing and industrial processes: it senses and measures a process (temperature, pressure, tank level, and so on) and it can change that process (opening or closing a valve, changing pump speed, switching a heater on or off).
OT is broader than ICS alone. It also encompasses building automation systems — heating, ventilation and air conditioning (HVAC), lighting, physical access control, elevators, and similar building-management functions.
The Internet of Things (IoT) is a network of physical objects embedded with sensors, software, and networking technology that allows them to communicate and exchange data with other devices across the internet. When this concept is extended to operational technology — industrial control systems that are connected to the internet and can communicate with other devices — the result is the Industrial Internet of Things (IIoT).
mindmap
root((Operational Technology))
OT (broad umbrella)
Building automation
HVAC
Lighting
Access control
Elevators
Industrial Control Systems (ICS)
Sensing
Temperature
Pressure
Tank level
Actuation
Valves
Pump speed
Heaters
Internet of Things (IoT)
Embedded sensors
Networked communication
Industrial IoT (IIoT)
Internet-connected ICS
Cross-device communication
| Term | Scope | Example |
|---|---|---|
| OT (Operational Technology) | Broadest umbrella — any tech that senses/manipulates the physical world | Building HVAC, elevators, ICS |
| ICS (Industrial Control Systems) | Subset of OT focused on industrial/manufacturing process automation | PLCs controlling pumps and valves |
| IoT (Internet of Things) | Networked physical objects with embedded sensors/software | Smart thermostats, connected sensors |
| IIoT (Industrial IoT) | ICS/OT devices connected to the internet and communicating with other devices | Internet-exposed PLCs, remote SCADA telemetry |
What Happened at Aliquippa
Over the weekend of November 25–26 (2023), a hacktivist group calling itself Cyber Avengers gained unauthorized access to the control system of a water booster station operated by the Aliquippa Water Authority in Pennsylvania.
The devices the group accessed were programmable logic controllers (PLCs) manufactured by Unitronics, an Israeli-based company. The attackers made relatively minor changes to the system — including renaming the PLC and defacing the operator interface with anti-Israel messaging — but these changes triggered an alarm. Operators intervened and switched the system to manual operation. As a result, there was no impact on the water supply.
sequenceDiagram
participant Attacker as Cyber Avengers
participant Internet
participant PLC as Unitronics PLC
participant HMI as Operator Interface (HMI)
participant Operator as Aliquippa Operator
Attacker->>Internet: Scan for internet-exposed Unitronics PLCs
Internet->>PLC: Direct connection (no firewall, no VPN)
Attacker->>PLC: Authenticate using default credentials (admin / 1111)
PLC-->>Attacker: Access granted
Attacker->>PLC: Rename device to "Gaza"
Attacker->>HMI: Deface interface with anti-Israel messaging
PLC->>HMI: Communication/status anomaly
HMI-->>Operator: Alarm raised
Operator->>PLC: Switch booster station to manual operation
Note over Operator,PLC: Water supply continuity maintained;<br/>no disruption to customers
Water Distribution Fundamentals: What Is a Booster Station?
To understand the significance of the compromised device, it helps to understand how a municipal water distribution network operates.
A water distribution network begins with a supply of water — in Aliquippa’s case, a series of wells located around the local area, drawing from underlying aquifers. Water from the wells is transferred to a water treatment station, where it is cleaned, softened, and disinfected. It is then transferred to a series of reservoirs located in high-population areas. From the reservoirs, water travels through a network of underground pipes to homes, schools, hospitals, and other end users.
Engineers try to use gravity as much as possible to move water between stages, since gravity-fed flow is free energy. The problem is that as water flows through a pipe, it loses energy and pressure drops. Water booster stations exist to solve this problem: a booster station is essentially a collection of pumps that takes low-pressure water and boosts its pressure so it can reach its final destination.
flowchart LR
A[Wells / Aquifers] --> B[Water Treatment Station<br/>Cleaning, Softening, Disinfection]
B --> C[Reservoirs<br/>High-population areas]
C --> D[Booster Station<br/>Pumps restore pressure]
D --> E[Underground Distribution Pipes]
E --> F[Homes / Schools / Hospitals]
The Role of the Programmable Logic Controller
A programmable logic controller (PLC) is a key component of any industrial control system. It is connected to both inputs and outputs:
- Inputs are instruments that measure and sense the process. In the Aliquippa booster station, these would include instruments measuring the flow of water through the pipes, the pressure, and the speed of the pump.
- Outputs are components that change the system. In this case, outputs would include valves (opened or closed to control water flow) and the pump itself (its speed controlled to regulate pressure within the water main).
The link between inputs and outputs is a set of logic rules programmed into the PLC’s memory. The PLC periodically polls its inputs to take measurements, applies its logic rules, and decides whether any change to the outputs is needed to keep the process within its specified design parameters.
flowchart TD
subgraph Inputs
I1[Flow sensors]
I2[Pressure sensors]
I3[Pump speed sensors]
end
subgraph PLC["Programmable Logic Controller"]
L[Logic Rules<br/>stored in memory]
Poll[Periodic polling cycle]
end
subgraph Outputs
O1[Valves — open/close]
O2[Pump speed control]
end
Inputs --> Poll --> L --> Outputs
L -.decision based on design parameters.-> Outputs
Root Cause: A Systems Integration Failure, Not a Product Vulnerability
A critical clarification made in the discussion is that this incident was not the result of a vulnerability in the Unitronics PLC itself. No exploit was used. The root cause was a systems integration issue, comprising two distinct failures:
- The PLCs were connected directly to the internet — with no firewall, no VPN, and no monitoring in place.
- The default password was never changed from the manufacturer’s default of
1111(with a default username ofadmin).
Together, these two gaps meant that any attacker capable of locating the device on the internet — for example, through a simple search — could authenticate to it using publicly known default credentials.
flowchart TD
A[Unitronics PLC deployed] --> B{Connected directly<br/>to the internet?}
B -- Yes, no firewall/VPN --> C[Device reachable from anywhere]
A --> D{Default credentials<br/>changed?}
D -- No, admin/1111 retained --> E[Trivial authentication]
C --> F[Full remote access to control system]
E --> F
F --> G[Attacker can rename device,<br/>deface HMI, or manipulate outputs]
Why Legacy ICS Still Ships With Weak Security Defaults
A recurring theme in ICS/OT security is that many industrial control systems were installed at a time when cyber risk simply wasn’t a consideration for system integrators, so controls like firewalls, VPNs, and credential rotation were not built into deployment practices.
This is compounded by a resource-allocation problem faced by small utilities. The Aliquippa Water Authority serves fewer than 7,000 customers, yet is responsible for maintaining over 80 miles of water main, roughly 900 isolation valves, and 450 fire hydrants — much of it aging infrastructure. When an organization of this size has to prioritize investment, the choice is often framed as: invest in maintaining and repairing physical infrastructure to keep water flowing, or invest in cybersecurity controls against a threat that historically wasn’t seen as credible. Few utility operators of this scale would have anticipated that a small regional water authority could become a target of a nation-state-linked hacktivist campaign — until it happened.
flowchart TD
A[Small municipal utility<br/>fewer than 7,000 customers] --> B[Limited capital budget]
B --> C{Where to invest?}
C -->|Physical infrastructure| D[Maintain 80+ miles of water main,<br/>~900 isolation valves, 450 hydrants]
C -->|Cybersecurity controls| E[Firewalls, VPN, MFA,<br/>credential management]
D --> F[Perceived as immediate operational necessity]
E --> G[Historically perceived as low-probability risk]
F -.often wins budget priority.-> H[Aging physical assets maintained,<br/>OT security controls deferred]
G -.-> H
Threat Actor Profile: Cyber Avengers
The group behind the intrusion, Cyber Avengers, is described as an Iran-backed hacktivist group well known for targeting facilities within the state of Israel. Since the outbreak of regional conflict, the scope of their targeting has broadened to include:
- Countries that support Israel.
- Organizations that use equipment manufactured by Israeli companies — which is precisely why a Unitronics PLC (an Israeli-made product) deployed at a Pennsylvania water utility became a target, despite having no direct connection to Israel itself.
Evidence of the group’s motivation and attribution in this incident came from the changes they made once inside the system: they renamed the PLCs to “Gaza” and defaced the operator interface with anti-Israel messaging, rather than attempting to disrupt the actual water supply process.
mindmap
root((Cyber Avengers))
Attribution
Iran-backed hacktivist group
Historically targets Israel-based facilities
Expanded targeting after regional conflict
Countries supporting Israel
Organizations using Israeli-manufactured equipment
Evidence from Aliquippa intrusion
PLC renamed "Gaza"
Anti-Israel messaging on HMI
No attempt to disrupt water supply directly
What Could Have Happened: The Worst-Case Scenario
In this incident, the impact was limited to a defaced interface and a renamed device — the actual water supply was never disrupted. However, considering the worst-case scenario is instructive for risk assessment purposes.
Had the hacktivists chosen to actively manipulate the process — for example, by closing valves or switching off the pump — the result would have been a temporary loss of water supply. Critically, this would still have triggered alarms, and operators would have been able to switch to manual operation and restore supply relatively quickly. The underlying safety and alarm systems built into the process would have limited the severity and duration of any disruption.
Safety Engineering Backstop: The Layers of Protection Model
When evaluating potential consequences of a cyberattack against OT, it is not sufficient to look only at cybersecurity controls (firewalls, credentials, monitoring). OT environments are designed with safety in mind from the outset, and a common model used in safety engineering — the layers of protection model — helps explain why a cyberattack on a control system does not automatically translate into a catastrophic physical outcome.
The layers, from the innermost (normal operation) outward, are:
- Process Control Layer — Represents normal operations. A basic process control system maintains a process value at a set point (for example, keeping a chemical reactor’s temperature at 135°F). Minor variations are automatically corrected: the controller increases cooling water flow if temperature rises above the set point, and decreases it if temperature falls below.
- Alarm and Operator Intervention Layer — If the process value drifts beyond the upper or lower limits of the acceptable range (high/low alarm thresholds), an alarm is raised. This can trigger an automatic shutdown or prompt manual operator intervention.
- Safety Instrumented Systems (SIS) Layer — If the process value cannot be brought back under control and continues to drift (e.g., temperature continues to rise), independent safety instrumented systems activate. These are high-reliability systems, completely independent from the basic control system, rigorously designed to handle a wide range of emergency scenarios.
- Accident Mitigation Layers — Because not every accident scenario can be anticipated at the design stage, three additional layers exist beyond prevention, focused purely on mitigating harm to workers, the public, and the environment once an accident has already occurred.
flowchart TD
L1["Layer 1: Process Control<br/>Maintains set point (e.g., 135°F)"] --> L2
L2["Layer 2: Alarms & Operator Intervention<br/>High/low threshold breach → automatic shutdown or manual action"] --> L3
L3["Layer 3: Safety Instrumented Systems (SIS)<br/>Independent, high-reliability emergency response"] --> L4
L4["Layers 4-6: Accident Mitigation<br/>Minimize harm to workers, public, and environment"]
style L1 fill:#d4f4dd
style L2 fill:#fff3cd
style L3 fill:#f8d7da
style L4 fill:#e2d5f0
| Layer | Purpose | Independence |
|---|---|---|
| Process Control | Maintains normal operating set point automatically | Part of the basic control system |
| Alarms / Operator Intervention | Flags out-of-range conditions; triggers automatic shutdown or manual response | Uses control-system alarm logic |
| Safety Instrumented System (SIS) | Handles emergency conditions the control layer cannot resolve | Fully independent of the control system |
| Accident Mitigation (3 layers) | Minimizes harm to workers, the public, and the environment once an accident occurs | Independent physical/procedural safeguards |
Applying the Layers of Protection Model to the Aliquippa Incident
Mapping the actual incident onto this model: a process alarm was raised at the very first layer of protection, and an operator intervened once that alarm sounded.
Because water supply continuity was maintained throughout the incident, it is unlikely that the alarm was a pressure-drop alarm or a “pump switched off” alarm — those would imply an actual interruption to the process. It is more plausible that the alarm was a communications alarm: if the PLC’s name had been changed by the attackers, that could plausibly have disrupted expected communications between devices in the control system, triggering the alert operators responded to.
The key reassurance from this analysis is that even when an attacker gains unauthorized remote access to an OT device, the layered safety architecture underneath the control system — independent of the compromised device itself — provides a meaningful backstop against physical consequences.
Scale of the Exposure: Shodan Findings
Shortly after the Aliquippa Water Authority breach became public, a search using Shodan (a search engine for internet-connected devices) found approximately 1,800 Unitronics PLCs connected directly to the internet. About a week later, that number had dropped to approximately 1,600 — suggesting that some operators, having heard the news, took steps to isolate their devices from direct internet exposure. That is a positive trend, but it still left a substantial number of devices exposed.
| Point in Time | Unitronics PLCs Found Exposed on Shodan |
|---|---|
| Shortly after the breach became public | ~1,800 |
| ~1 week later | ~1,600 |
flowchart LR
A["Breach becomes public knowledge"] --> B["Shodan scan: ~1,800 exposed<br/>Unitronics PLCs found"]
B --> C["~1 week passes<br/>Some operators take remediation action"]
C --> D["Follow-up scan: ~1,600 exposed<br/>Unitronics PLCs found"]
D --> E["~200 devices remediated,<br/>~1,600 still exposed"]
Recommendations for OT/ICS Operators
The discussion closes with a set of practical, low-friction recommendations for any organization operating OT or ICS equipment — none of which require significant capital investment, and all of which directly address the root causes identified in the Aliquippa incident.
| Recommendation | Rationale |
|---|---|
| Never connect OT/ICS devices directly to the internet | Removes the primary attack surface that made the Aliquippa PLCs reachable at all |
| Deploy a firewall in front of OT/ICS networks | Allows rules restricting access to trusted IP addresses only |
| Implement a VPN for any required remote access | Ensures remote connections are authenticated and encrypted rather than exposed directly |
| Enforce multi-factor authentication (MFA) on VPN access | Significantly raises the bar against credential-based compromise |
| Change all default manufacturer passwords immediately upon deployment | Eliminates the single largest enabler of this specific breach (default admin / 1111) |
| Follow standard password hygiene practices | Reduces the risk of brute-force or credential-guessing attacks even after defaults are changed |
| Maintain an inventory of internet-facing OT assets (e.g., via Shodan-style scanning) | Enables an organization to know its own exposure before an attacker finds it first |
| Treat OT safety layers (alarms, SIS) as a complementary — not a substitute — defense | Ensures physical safety backstops remain intact even if cyber controls are bypassed |
flowchart TD
Start([OT/ICS Security Baseline]) --> A{Is the device<br/>internet-facing?}
A -- Yes --> B[Remove direct exposure:<br/>place behind firewall/VPN]
A -- No --> C[Verify network segmentation<br/>is actually enforced]
B --> D{Default credentials<br/>still in use?}
C --> D
D -- Yes --> E[Change credentials immediately;<br/>apply password hygiene policy]
D -- No --> F[Enable MFA on remote access]
E --> F
F --> G[Maintain ongoing internet-exposure<br/>inventory / external scanning]
G --> H[Validate independent safety layers<br/>(alarms, SIS) remain intact]
H --> End([Reduced OT attack surface,<br/>preserved safety backstop])
Summary
The Aliquippa Water Authority breach is a case study in how a basic, avoidable systems-integration failure — not a sophisticated exploit — can expose critical infrastructure to compromise by a geopolitically motivated threat actor. Over a November weekend, the Iran-linked hacktivist group Cyber Avengers accessed internet-exposed Unitronics PLCs (chosen specifically because Unitronics is an Israeli manufacturer) at a Pennsylvania water booster station, using nothing more advanced than the device’s unchanged default credentials (admin / 1111). The attackers defaced the operator interface and renamed the PLC to “Gaza,” triggering an alarm that allowed operators to switch to manual control before any disruption to the water supply occurred.
The incident illustrates several durable lessons for OT/ICS security:
- Attack surface, not sophistication, is often the deciding factor. No vulnerability was exploited — only a device reachable directly from the internet with a manufacturer default password.
- Geopolitical targeting increasingly extends to equipment origin, not just organizational affiliation. A small US water utility became a target purely because of the nationality of its equipment vendor.
- Small and under-resourced operators are not “too small to be a target.” A utility serving fewer than 7,000 customers, competing for budget between aging physical infrastructure and cybersecurity investment, was targeted by a nation-state-linked group.
- Safety engineering is a legitimate complementary control to cybersecurity. The layers of protection model (process control → alarms/operator intervention → safety instrumented systems → accident mitigation layers) meant that even a successful intrusion did not translate into a loss of water supply.
- Exposure at scale is measurable and persistent. Shodan searches found roughly 1,800 internet-exposed Unitronics PLCs immediately after the breach, dropping only to around 1,600 a week later — most affected organizations still had not remediated their exposure even after public disclosure.
Defensive / Mitigation Checklist
- Never connect OT/ICS devices (PLCs, RTUs, HMIs) directly to the public internet.
- Place all OT/ICS assets behind a properly configured firewall with IP allow-listing.
- Require a VPN for any remote access into OT/ICS environments.
- Enforce multi-factor authentication (MFA) on all remote access, including VPNs.
- Change every manufacturer default password immediately at deployment — never leave defaults like
admin/1111in place. - Apply standard password hygiene (length, complexity, rotation) to all OT accounts.
- Regularly scan your own external footprint (e.g., using Shodan or similar tools) to discover unintentionally exposed OT devices.
- Treat independent safety layers (alarms, safety instrumented systems, physical mitigation) as essential complements to — not replacements for — cybersecurity controls.
- Assume that organizational size or perceived insignificance is not protection against nation-state-linked or hacktivist targeting, particularly where equipment origin or vendor nationality is politically salient.
- Build an incident response plan for OT/ICS specifically, including a clear path to manual operation when automated systems are compromised.
Search Terms
security · hot · takes · aliquippa · water · breach · threat · intel · networking · systems · ics · happened · layers · model · protection