Ireland's First Confirmed OT Cyberattack
County Mayo, December 2023: Ireland's First Confirmed OT Cyberattack — Technical Analysis, Threat Actor Profile, and the National Exposure It Revealed
Executive Summary
In December 2023, a threat actor affiliated with the Islamic Revolutionary Guard Corps (IRGC) of Iran disabled the pumping system serving the Erris water scheme in County Mayo, Ireland. The attack left approximately 180 households without water for two days. The attacker did not breach any security system. There was no security system to breach. The Unitronics Vision Series programmable logic controller managing the pump was connected to the public internet with its factory-default administrative credentials unchanged since installation.
Ireland was not targeted strategically. The attacker — Cyber Av3ngers, an IRGC-affiliated threat actor — ran a global campaign against Unitronics-manufactured PLCs, selecting targets by equipment origin rather than by geography or strategic value. Ireland appeared in the target set because an Irish water utility was running a Unitronics PLC on the public internet with default credentials. The attack required no specialist capability, no insider knowledge, and no planning. A Shodan search, a browser, and the factory password were sufficient.
This paper presents the first comprehensive open-source technical analysis of the County Mayo attack — the only confirmed OT cyberattack on Irish critical infrastructure. It documents the attack mechanism, the CVE, the threat actor profile and campaign scope, the NCSC-IE response and its implications, and the regulatory obligations the attack activates under CER, NIS2, and the Cyber Resilience Act. Every technical parameter is sourced from named CISA advisories, CVE databases, and official regulatory documents.
1. The Attack — Exact Technical Parameters
Before this attack is assessable, it must be precisely characterised. The following technical parameters are sourced from CISA Advisory AA23-335A (1 December 2023), the CVE-2023-6448 entry in the NIST National Vulnerability Database, and Unitronics' published security advisory of the same date.
1.1 The Target — Erris Water Scheme, County Mayo
Infrastructure classification: Municipal water supply scheme serving the Erris Peninsula, north-west County Mayo. Operated by Mayo County Council under the Irish Water framework. The Erris scheme serves a rural and coastal population across a geographically dispersed distribution network.
OT equipment: Unitronics Vision Series programmable logic controller (PLC) — specifically a Vision570 unit based on the device characteristics disclosed in CISA AA23-335A and consistent with Unitronics' product documentation for water utility applications. The Vision570 integrates PLC functionality, a touchscreen HMI (human-machine interface), and a built-in web server accessible via Ethernet or cellular modem — a design intended to enable remote monitoring and control of pump stations without requiring a separate SCADA server.
Network connectivity: The Unitronics PLC was connected to the public internet — not to a private utility network or a VPN-protected remote access system. The public internet connection was the intentional configuration: it was how the utility's maintenance contractor accessed the unit remotely for monitoring and fault response. The PLC's web server was accessible on a public IP address with no network-layer access restriction.
Authentication configuration: Factory-default administrative credentials. Unitronics Vision Series controllers ship from the factory with a default username and password documented in the product manual. The manual is publicly available on Unitronics' website. The default credentials had not been changed since the controller was installed at the Erris pump station.
CVE-2023-6448 — EXACT SPECIFICATION: CVE-2023-6448 is the Common Vulnerabilities and Exposures entry documenting the Unitronics Vision Series default credential vulnerability. CVSS v3.1 base score: 9.8 (Critical). Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Translation: Network-accessible, low attack complexity, no privileges required, no user interaction required, high impact on confidentiality, integrity, and availability. A CVSS score of 9.8 is in the top 0.2% of all recorded CVEs by severity. The vector string AV:N/AC:L/PR:N/UI:N means any attacker anywhere on the internet with no prior access and no technical skill can exploit this vulnerability. Source: NIST NVD, CVE-2023-6448, published 1 December 2023.
The attack sequence: Step 1: The attacker ran a Shodan query for Unitronics Vision Series controllers — a search that returns a list of publicly accessible Unitronics devices with their IP addresses, geographic locations, and open ports. Shodan indexed the Erris pump station controller because it was on the public internet with its web server port open. Step 2: The attacker connected to the controller's web interface using a browser. Step 3: The attacker entered the factory default username and password from the Unitronics product manual. Step 4: Access was granted. The attacker had full administrative control of the pump station PLC. Step 5: The HMI screen was defaced with the Cyber Av3ngers graphic and message. Step 6: The pumping system was disabled. Total time from Shodan query to operational effect: estimated under one hour based on the simplicity of the attack sequence and the campaign tempo confirmed by CISA.
Effect: Pumping system disabled. The HMI screen displayed the Cyber Av3ngers defacement graphic. Water pressure in the Erris distribution network fell as reservoir levels dropped. Approximately 180 households experienced loss of water supply. Duration of outage: approximately two days. Restoration required physical attendance at the pump station — the attack had disabled the remote control interface, so the system could not be restored remotely. A maintenance technician travelled to the station, assessed the damage, and restored the system manually.
Source: CISA, FBI, FISA, EPA, and NSA. Advisory AA23-335A: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors Including US Water and Wastewater Systems. 1 December 2023. NIST National Vulnerability Database. CVE-2023-6448. Published 1 December 2023. Unitronics. Security Advisory: Unitronics Vision Series PLC Vulnerability. 26 November 2023.
1.2 Why Default Credentials Are a Systemic Vulnerability — Not a Configuration Error
The instinctive characterisation of the County Mayo attack as a simple configuration error — somebody forgot to change the password — misses the systemic dimension of the vulnerability. Default credentials on industrial control equipment are a sector-wide condition, not an isolated oversight.
Industrial PLCs, SCADA servers, HMI panels, and network switches are deployed by contractors working to tight installation budgets and timelines. Credential change is a commissioning task that sits at the end of the installation checklist, after the system has been proved operational. In many installations, commissioning is completed under time pressure, the credential change is deferred to a post-commissioning hardening visit that is never scheduled, and the default credentials remain in place for the operational life of the device.
The scale of this condition is documented by Forescout Technologies in their OT/ICS Threat Evolution Report (January 2024): of the 110,000-plus ICS devices indexed on Shodan, more than 6,500 PLCs and controllers respond to Modbus and Siemens S7 protocol queries with no authentication required. Default credentials are a subset of this exposure — devices that require a username and password but accept the factory defaults. The actual number of ICS devices globally accessible with default credentials is not publicly quantified, but the CISA AA23-335A campaign — which hit targets in the United States, Ireland, and Israel simultaneously — suggests the population is large enough to support a global indiscriminate campaign.
THE INDISCRIMINATE THREAT MODEL: The County Mayo attack was not targeted at Ireland. It was not targeted at water infrastructure. It was targeted at Unitronics-manufactured equipment. The attacker's selection criterion was the vendor of the PLC — a manufacturer based in Israel — not the geographic location, operational significance, or network position of the targets. This is the most significant threat characterisation lesson of the attack: indiscriminate targeting based on equipment origin means that any organisation running any equipment from a manufacturer that becomes the subject of a hacktivist campaign is a potential target, regardless of its own threat profile or its perceived strategic significance. Mitigation cannot rely on being considered an unlikely target.
2. Threat Actor Profile — Cyber Av3ngers and the IRGC Nexus
Understanding the County Mayo attack requires understanding who conducted it, under what operational mandate, and what distinguishes their capability level from more sophisticated threat actors. This distinction matters for countermeasure calibration — the mitigation required to prevent a Cyber Av3ngers attack is different in character, though not in urgency, from the mitigation required against Volt Typhoon or Sandworm.
2.1 Cyber Av3ngers — Identity and Attribution
Attribution basis. CISA Advisory AA23-335A, co-signed by the FBI, FISA, EPA, and NSA, attributes the Unitronics PLC campaign to Cyber Av3ngers and identifies the group as affiliated with the Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). The attribution is based on technical indicators (IP infrastructure, campaign tooling, and TTPs consistent with previously attributed IRGC operations), the targeting pattern (Unitronics equipment, Israeli vendor origin), and the defacement graphic used on compromised HMI screens.
Operational mandate. Cyber Av3ngers emerged as an active threat actor following the outbreak of the Israel-Hamas conflict in October 2023. Their stated operational objective was to target Israeli-owned or Israeli-manufactured infrastructure globally — a campaign of economic and psychological pressure on Israel through the disruption of systems using Israeli technology. Unitronics, headquartered in Tel Aviv, became a primary target because its PLCs are widely deployed in water utilities, building management systems, and industrial automation globally.
Capability assessment. Cyber Av3ngers is a Tier 2 threat actor in the classification used in the Badhbh Intelligence Brief framework — state-affiliated hacktivist capability. They do not possess Tier 1 (Sandworm, Volt Typhoon) ICS-specific tool development capability. Their attack method at County Mayo and across the global Unitronics campaign was entirely opportunistic and tool-light: Shodan reconnaissance, browser-based access, default credential exploitation, HMI defacement, and manual disruption of pumping operations. No custom malware was deployed. No zero-day exploit was used. No lateral movement to other systems was attempted. The attack was simple, effective, and repeatable at industrial scale precisely because it required no specialist capability.
Campaign scope. The AA23-335A campaign was not limited to Ireland. CISA confirmed simultaneous or near-simultaneous attacks on water utilities in Pennsylvania (Municipal Water Authority of Aliquippa), Texas, and other US states, as well as targets in Israel. The Five Eyes advisory describes the campaign as targeting 'multiple sectors including water and wastewater systems' across multiple countries. The Irish attack was one node in a distributed global campaign — not a specially targeted operation against Irish infrastructure.
Source: CISA, FBI, FISA, EPA, NSA. Advisory AA23-335A. 1 December 2023. US House Homeland Security Committee. Hearing on the Cyber Threat to Water Systems Infrastructure. February 2024. Municipal Water Authority of Aliquippa. Public Statement on Cyberattack. November 2023.
2.2 The Iranian Cyber Threat Ecosystem — Where Cyber Av3ngers Sits
Cyber Av3ngers is one component of a structured Iranian state cyber capability that operates across three tiers with different mandates, capabilities, and target sets. Understanding the tier structure is essential for calibrating the threat to Irish infrastructure against the full range of Iranian cyber activity — not just the Cyber Av3ngers campaign.
IRGC-CEC — Cyber-Electronic Command: The IRGC-CEC is the strategic cyber arm of the Islamic Revolutionary Guard Corps. It conducts offensive cyber operations against strategic targets — government networks, defence contractors, critical infrastructure — in support of Iranian national security objectives. The IRGC-CEC has been attributed with attacks against US critical infrastructure, Israeli defence networks, and European energy companies. Cyber Av3ngers operates under IRGC-CEC direction but with a more tactical, hacktivist mandate.
MOIS — Ministry of Intelligence and Security: Iran's primary foreign intelligence service conducts cyber espionage operations — credential harvesting, network penetration, and long-term persistent access in foreign government and commercial networks. MOIS-affiliated threat actors include APT34 (OilRig) and APT35 (Charming Kitten), both of which have conducted operations against European targets including energy sector organisations.
IRGC-affiliated hacktivist groups: Groups including Cyber Av3ngers, Moses Staff, and Predatory Sparrow operate with varying degrees of IRGC direction, conducting disruptive attacks, data theft, and psychological operations against targets consistent with Iranian geopolitical objectives. These groups have lower capability than state-directed APTs but operate at higher tempo, against softer targets, and with less operational security — making their activities more visible and more immediately disruptive to the targets they reach.
THE ESCALATION RISK: The County Mayo attack by a Tier 2 hacktivist group using commodity techniques demonstrates that Irish OT infrastructure is reachable. The implication for Tier 1 threat actors is direct: if a hacktivist group can reach and disable an Irish water utility PLC using a Shodan search and a default password, a Tier 1 state actor with ICS-specific capability — Sandworm's Industroyer, Volt Typhoon's pre-positioned SCADA access — faces a lower barrier to effect than the County Mayo case suggests. The County Mayo attack is the demonstrated baseline. The ceiling is determined by the most capable adversaries with a motivation to use it.
3. The Unitronics Vision Series — Technical Vulnerability Analysis
A complete analysis of the County Mayo attack requires understanding the specific technical characteristics of the Unitronics Vision Series that made the attack possible and the broader product class that shares those characteristics. The vulnerability is not unique to the specific unit at the Erris pump station — it is a class vulnerability affecting all Unitronics Vision Series controllers in the default configuration.
3.1 Unitronics Vision Series — Architecture and Connectivity
The Unitronics Vision Series (Vision120, Vision230, Vision350, Vision570, Vision700, Vision1040) is a range of all-in-one PLC and HMI controllers targeting small-to-medium industrial automation applications. Their defining architectural characteristic — relevant to the vulnerability — is the integrated web server that provides remote access to the controller's data tables, ladder logic status, and HMI screens via a standard web browser.
This web server function was marketed explicitly as enabling remote monitoring and troubleshooting without requiring a separate SCADA server or VPN infrastructure — a significant cost advantage for small utilities and industrial facilities operating without dedicated IT support. The commercial logic was sound: a water utility managing a rural pump station can have its maintenance contractor monitor the pump remotely via a browser rather than deploying a full SCADA system. The security consequence was that the web server interface was exposed to any network the controller was connected to — including, where the controller was connected via cellular modem or direct Ethernet to an internet connection, the public internet.
Default credential configuration: The Vision Series web server ships with a default username of 'admin' and a default password of '1234' — documented on page 197 of the Unitronics Vision OPLC User Manual, version 18.12, publicly available from Unitronics' website. This is not a hidden or obscure default. It is in the user manual that every installer receives. The vulnerability is not that the default exists — all network equipment ships with default credentials — but that no enforcement mechanism required the default to be changed before the web server would accept connections from outside the local network.
The rebranding issue: CISA AA23-335A specifically notes that some Unitronics Vision Series controllers were rebranded and sold under alternative trade names by regional distributors, including 'Eurotronics' branding in some European markets. Irish water utilities purchasing OT equipment from local suppliers may have received Unitronics Vision Series hardware without the Unitronics name on the label — reducing the likelihood that a generic security advisory about 'Unitronics PLCs' would be recognised as applicable to their equipment. Post-attack, NCSC-IE specifically advised operators to check for Unitronics equipment regardless of the brand label on the physical unit.
Source: Unitronics. Vision OPLC User Manual Version 18.12. Chapter 7: Remote Access and Connectivity. Available: support.unitronics.com. CISA. Advisory AA23-335A. Section: Technical Details — Default Credentials. 1 December 2023.
3.2 The Shodan Exposure — How the Attacker Found the Target
Shodan (shodan.io) is a search engine for internet-connected devices. Unlike Google, which indexes web page content, Shodan indexes the responses of internet-connected devices to protocol queries — returning information about what software is running on which ports, what hardware is present, and in many cases what version and configuration the device is in. For industrial control equipment, Shodan returns data that in most cases is sufficient to identify the device type, the firmware version, the open ports, and in some cases the authentication status.
A Shodan search for Unitronics Vision Series controllers in late November 2023 returned a list of publicly accessible units with their IP addresses, geographic locations, open port configurations, and in many cases the vendor identification string confirming the device as a Unitronics Vision controller. The attacker used this list to identify candidate targets, then connected to each one's web interface and attempted the default credentials. For every target where the default credentials had not been changed, the attacker had full administrative access within seconds.
The Shodan exposure is not a bug in Shodan and not a vulnerability in the Unitronics device's network stack. It is the consequence of a device designed for remote browser access being connected to the public internet. Any device accessible from the public internet will be indexed by Shodan. The only way to prevent Shodan indexing is to prevent the device from being accessible from the public internet — which means implementing network access controls that restrict connections to authorised IP addresses or VPN-authenticated sessions only.
THE SHODAN AUDIT — WHAT NCSC-IE DID AND WHAT IT REVEALED: Following the County Mayo attack, NCSC-IE conducted a national audit of internet-exposed industrial control equipment, specifically including Unitronics-equivalent devices, across Irish water utilities and other CNI sectors. The audit used the same Shodan-based methodology the attacker used. The result confirmed that NCSC-IE did not have a pre-existing complete inventory of internet-exposed OT equipment across Irish CNI — the national picture of what was accessible and what was running default credentials was not known before December 2023. The audit was the first systematic exercise of this kind conducted at national scale in Ireland. That it was triggered by an attack rather than by proactive risk management is the institutional lesson.
3.3 The Broader Unitronics Vulnerability Class — Irish and European Exposure
CVE-2023-6448 affects all Unitronics Vision Series controllers running firmware versions prior to 9.8.65. Unitronics released firmware version 9.8.65 on 21 November 2023 — nine days before the CISA advisory — specifically to address the default credential vulnerability by requiring the user to change the default password on first connection from a non-local network address. Devices running firmware 9.8.65 and above are not vulnerable to the unauthenticated default credential attack.
The remediation requires a firmware update — a procedure that for many utilities means scheduling a maintenance window, physically attending the site (or having a remote access capability that, if already compromised, cannot be used for the update), and following the firmware update procedure. For rural utilities with limited IT support, this is a non-trivial operational task. CISA AA23-335A's recommended immediate mitigations — issued because firmware update was not immediately achievable for many operators — included: disconnect the PLC from the public internet immediately; if internet connectivity is required, restrict access to known-good IP addresses at the network firewall; change the default credentials immediately from a trusted local connection; and enable multi-factor authentication on all remote access pathways.
Source: Unitronics. Security Advisory: UniStream/Vision series controllers — Remote Access Vulnerability. November 2023. CVE detail: NVD NIST, CVE-2023-6448, CVSS 9.8 Critical. Firmware fix: Unitronics firmware version 9.8.65, released 21 November 2023.
4. The NCSC-IE Response — What Happened and What It Means
The Irish National Cyber Security Centre's response to the County Mayo attack is itself an analytically important data point — both for what it demonstrated about NCSC-IE's incident response capability and for what it revealed about the pre-existing state of Irish OT security awareness.
4.1 Immediate Response
Detection: The attack was detected not by any automated security monitoring system at the Erris pump station but by operational observation — the pump station stopped working and residents reported loss of water pressure. There was no IDS, no SIEM alert, no anomaly detection. The attack was identified as a cyberattack only when the maintenance contractor attended the site and found the Unitronics HMI screen displaying the Cyber Av3ngers defacement graphic.
Notification: Mayo County Council and Irish Water notified NCSC-IE following the identification of the defacement graphic and confirmation of the attack vector. NCSC-IE acknowledged the incident and coordinated with CISA — the CISA advisory AA23-335A, issued on 1 December 2023, references the Irish attack alongside the US incidents and was developed with input from international partners including Ireland.
National audit: NCSC-IE conducted a national audit of Unitronics Vision Series and equivalent OT equipment across Irish water utilities and other CNI sectors, using Shodan and direct notification to operators. Operators were advised to: check for Unitronics equipment including rebranded variants; disconnect affected units from the public internet immediately; change default credentials; apply the firmware update when operationally feasible; and report any evidence of previous unauthorised access.
Restoration: The Erris pump station was restored to service approximately two days after the attack. Restoration required physical attendance, manual reset of the pump control system, credential change, and isolation of the controller from the public internet pending a longer-term remote access solution using a VPN-protected pathway.
4.2 What the Response Revealed — The Institutional Findings
The NCSC-IE response was effective in the immediate term — the national audit was conducted, advisories were issued, and the affected system was restored. But the response process itself revealed four institutional findings that are more significant than the attack event:
No pre-existing national OT inventory: NCSC-IE did not have a complete picture of internet-exposed OT equipment across Irish CNI before December 2023. The national audit was the first time this picture was assembled. A risk management framework that does not know what assets are exposed cannot assess whether those assets are protected. CER Article 12 (all-hazards risk assessment) requires operators to identify their critical assets — but the national picture of what is exposed on the public internet requires a national-level exercise, not just operator-level risk assessments.
Detection was operational, not technical: The attack was detected because the pump stopped working, not because any security monitoring system detected unauthorised access. For an attack with more subtle objectives — reconnaissance, credential harvesting, or pre-positioning rather than immediate disruption — the detection mechanism would not have worked. The County Mayo attacker made no attempt at concealment. A more sophisticated attacker with the same initial access would have been undetected.
Remote access architecture was uncontrolled: The Erris pump station's remote access configuration — PLC on public internet with default credentials — was the operational standard for remote monitoring at many small utilities, not an exceptional lapse. The commercial rationale (cost, simplicity, no IT support required) that drove the configuration is the same rationale that has produced similar configurations across European water, waste, and building management infrastructure. County Mayo is the documented case; the population of similar configurations is larger.
Restoration required physical attendance: The attack disabled the remote access interface, requiring a maintenance technician to travel to the pump station for restoration. In a coordinated multi-site attack — targeting multiple pump stations simultaneously — the restoration burden across a rural county would be substantial. Physical attendance at each affected site, sequenced by restoration priority, with no remote capability available during the restoration period. This is the consequence model that a Tier 1 attacker designs for: not a two-day local outage, but a multi-week county-wide disruption requiring physical attendance at dozens of locations simultaneously.
THE DETECTION GAP: The most consequential finding of the County Mayo attack is not the vulnerability that was exploited — that has a known remediation. It is the detection capability that was absent: no automated monitoring of the PLC's authentication log, no network-level detection of anomalous connections to the OT device, no alert on the HMI defacement until a resident reported loss of water pressure. OT security that relies on operational failure — the pump stops working — as its primary detection mechanism is not a security programme. It is an absence of one.
5. Technical Countermeasures — The Seven Actions
The County Mayo attack is remediable. The technical countermeasures are well understood, commercially available, and in most cases implementable within existing operational maintenance budgets. The following seven actions are sequenced in order of implementation priority and are directly derived from CISA AA23-335A recommended mitigations, NCSC-IE post-incident guidance, and IEC 62443-3-3 OT security requirements.
5.1 Immediate Actions — No Capital Required
Action 1 — Shodan audit of all OT assets: Run a Shodan query for all IP ranges associated with your organisation's internet-connected infrastructure. Identify any OT devices — PLCs, HMIs, SCADA servers, building management controllers, IP cameras at utility sites — that appear in the results. Any OT device that Shodan can reach is accessible to any attacker. This audit takes less than one hour and requires no specialist tools — Shodan provides a free basic account. The NCSC-IE conducted this nationally after County Mayo; operators should conduct it for their own infrastructure before an incident forces it.
Action 2 — Default credential change on all internet-accessible OT devices: For every OT device identified in the Shodan audit: change the administrative username and password from the factory default to a complex credential stored in a password manager. Document the change in the site security register. Verify the change by attempting to log in with the old default — it should fail. This action costs nothing and takes minutes per device. It is the single action that would have prevented the County Mayo attack entirely.
Action 3 — Disconnect OT devices from the public internet: Any OT device that does not require remote access should be disconnected from any network with a path to the public internet. Any OT device that does require remote access should be placed behind a VPN gateway — connections to the device are only possible after VPN authentication, and the device itself is not accessible from the public internet. The VPN gateway should be the only internet-facing element; the OT device sits behind it on a private network segment.
5.2 Short-Term Actions — Weeks to Months
Action 4 — Firmware update programme for all Unitronics Vision Series and equivalent devices: Apply firmware version 9.8.65 or later to all Unitronics Vision Series controllers. For other PLC and HMI platforms, subscribe to CISA ICS-CERT advisories and the relevant vendor security bulletins. Implement a firmware update programme with defined review cycles — quarterly review of outstanding advisories for all deployed OT platforms, with a defined maximum time-to-patch for Critical-rated CVEs (CVSS 9.0 and above) of 30 days from advisory publication.
Action 5 — Network segmentation — OT on isolated VLAN: Place all OT equipment on a dedicated network VLAN with no direct routing path to the corporate IT network or to the internet. All data flows crossing the OT boundary — remote access, historian data transfer, firmware update delivery — must traverse a controlled boundary point with full logging. This is IEC 62443-3-3 Security Level 2, the minimum standard for water utility OT environments under NIS2 Article 21. The network segmentation is the architectural control that makes Actions 1-3 enforceable at scale: even if a device's credentials are compromised, an attacker on the internet cannot reach it through a properly segmented network boundary.
Action 6 — OT authentication log monitoring: Enable authentication logging on all OT devices that support it. Configure log forwarding to a centralised log management system (SIEM or equivalent). Define alert rules for: failed authentication attempts above a defined threshold (5 failed attempts within 60 seconds is a standard brute-force detection rule); successful authentication from an IP address not in the authorised access list; authentication events outside defined operational hours without pre-authorisation. This is the detection capability that was absent at County Mayo and whose absence meant the attack was not detected until the pump stopped working.
5.3 Medium-Term Actions — Months to 12 Months
Action 7 — OT asset inventory and risk register: Develop and maintain a complete inventory of all OT assets, including: device type and firmware version; network connectivity and IP address; remote access configuration; current authentication status (default credentials changed or not; MFA enabled or not); last security review date. This inventory is the prerequisite for all other actions — you cannot patch what you have not inventoried, you cannot monitor what you do not know exists, and you cannot report a GDPR/NIS2 incident accurately if you do not have a complete picture of what was affected. CER Article 12 requires operators to identify their critical assets — this inventory is that identification process applied to OT equipment.
THE SEVEN ACTIONS AS REGULATORY COMPLIANCE: These seven actions are not discretionary best practices. They are the minimum technical measures required for compliance with NIS2 Article 21 (risk management measures for network and information systems including OT), CER Article 12/13 (all-hazards risk assessment and proportionate resilience measures), and from December 2027, CRA Regulation Article 13 (default password prohibition for connected products). An Irish water utility that has not implemented Actions 1-3 following the County Mayo attack and the publication of CISA AA23-335A is in regulatory non-compliance with NIS2 Article 21 as implemented under Irish law.
6. Regulatory Framework — What County Mayo Activates
The County Mayo attack is not only a technical event — it is a regulatory trigger. Three European regulatory instruments are directly activated by the attack and its implications for Irish OT infrastructure. Understanding the specific obligations they create is essential for operators, regulators, and public authorities managing Irish CNI.
6.1 CER Directive — S.I. 559/2024 (In Force)
The Critical Entities Resilience Directive (EU 2022/2557), transposed into Irish law as S.I. 559/2024, is in force. It applies to operators of critical entities in eleven sectors including water supply and distribution.
Article 12 — All-hazards risk assessment: Operators must implement an all-hazards risk assessment covering physical and cyber threats to their critical infrastructure and services. An all-hazards risk assessment conducted by an Irish water utility that does not include cyber attack via internet-exposed OT equipment as a named threat scenario — after the documented County Mayo attack and the CISA AA23-335A advisory — is not compliant with Article 12. The threat is documented, the attack vector is confirmed, and the Irish exposure is confirmed. There is no credible basis for excluding it from a post-December 2023 risk assessment.
Article 13 — Proportionate resilience measures: Operators must implement appropriate and proportionate measures to ensure resilience against identified risks. For internet-exposed OT equipment with default credentials, the proportionate measures are Actions 1-3 in Section 5 above — all of which are zero-cost or low-cost. The proportionality assessment is straightforward: the cost of changing a default password (zero) is proportionate against any consequence of a successful attack. An operator who has not changed the default credentials on an internet-accessible PLC cannot credibly argue that the mitigation is disproportionate to the risk.
6.2 NIS2 Directive — Ireland Missed 17 October 2024 Transposition Deadline
NIS2 (EU 2022/2555) required transposition into national law by 17 October 2024. Ireland missed this deadline. NIS1 remains in force pending NIS2 transposition. However, the substantive requirements of NIS2 are the standard against which Irish operators will be assessed once transposition occurs — and given the Commission's attention to the missed deadline, that transposition is a near-term certainty.
Article 21 — Risk management measures: Article 21 specifically requires measures addressing 'the security of network and information systems' including 'supply chain security' and 'vulnerabilities handling and disclosure.' CVE-2023-6448 is a disclosed vulnerability with a published CVSS score of 9.8 — the highest severity class. An operator who has not patched or mitigated a CVSS 9.8 Critical vulnerability affecting deployed OT equipment, following its publication on 1 December 2023 and its specific attribution in an Irish attack, has a defensible non-compliance position under NIS2 Article 21 only if they can demonstrate that mitigation was technically impossible within a reasonable timeframe. For the County Mayo vulnerability, mitigation (credential change, internet disconnection) was achievable within hours of the advisory publication.
Article 32/33 — Enforcement and personal liability: NIS2 enforcement provides for fines up to EUR 10 million or 2% of global annual turnover, whichever is higher, for essential entities. Personal liability for senior management is established by Article 32(6): management bodies of essential entities can be held personally liable for non-compliance with NIS2 risk management obligations. The precedent for personal liability was set by the conviction of Uber's CSO Joe Sullivan in the United States in October 2022 — the mechanism under NIS2 provides a European equivalent pathway.
6.3 Cyber Resilience Act — Application from December 2027
Default passwords — prohibited from December 2027: CRA Article 13(2)(b) prohibits placing connected products on the EU market with default passwords from December 2027. A Unitronics Vision Series PLC with a default password of '1234' will be prohibited from sale in the EU from that date. Every procurement specification for OT equipment from 2025 onwards should include CRA compliance as a contractual requirement — not as a future obligation but as a current procurement standard that avoids the need for a mid-lifecycle replacement programme when CRA comes fully into force.
Vulnerability disclosure — mandatory from September 2026: CRA Article 14 requires manufacturers to report actively exploited vulnerabilities to ENISA within 24 hours of discovery, and to notify affected users. From September 2026, an event equivalent to CVE-2023-6448 would require Unitronics to notify ENISA within 24 hours and to notify all registered users of affected products. The notification obligation sits with the manufacturer — but the operator's obligation to act on that notification is not diminished by the CRA notification requirement.
THE CRA PROCUREMENT STANDARD: Every OT equipment procurement in Ireland from 2025 onwards should include the following contractual requirement as a minimum: 'The supplied equipment must comply with the Cyber Resilience Act (EU 2024/2847). Specifically: no default passwords; security updates provided for the minimum supported lifetime of the device; vulnerability disclosure to ENISA and to the purchaser within 24 hours of discovery of an actively exploited vulnerability; CE marking confirming CRA compliance.' This specification, inserted into procurement contracts now, prevents the deployment of CRA non-compliant equipment and documents the operator's due diligence in advance of CRA's full application date.
7. The Broader Irish Exposure — What County Mayo Implies
The County Mayo attack is the documented case. It is not the complete picture of Irish OT exposure. This section assembles what is known — from public sources, from the NCSC-IE post-incident communications, and from the national infrastructure context — about the broader Irish OT exposure that County Mayo revealed.
7.1 Water Infrastructure — The Sector Context
Ireland's water infrastructure comprises several hundred pump stations, treatment plants, reservoirs, and distribution network monitoring points operated by Irish Water, local authorities, and Group Water Schemes. The Group Water Scheme network — over 700 schemes providing water to approximately 130,000 rural properties in areas not served by the public mains network — is particularly relevant. Group Water Schemes are operated by community organisations with limited technical and IT resources. Many use basic OT equipment for pump monitoring and remote control. The risk of default credential configurations equivalent to the County Mayo installation is highest in this sector.
The NCSC-IE national audit following County Mayo was the first systematic exercise of this kind. Its findings have not been publicly disclosed in full — NCSC-IE's communications confirmed that the audit was conducted and that advisories were issued, but the number of exposed devices found, their geographic distribution, and their remediation status has not been publicly reported. The absence of a public report is not confirmation that the picture was clean.
7.2 The HSE 2021 Precedent — IT-OT Bleed in Irish Infrastructure
The Health Service Executive Conti ransomware attack of May 2021 — the worst cyberattack in Irish State history, with documented recovery costs exceeding EUR 100 million — demonstrated a different OT exposure mechanism: IT-OT bleed. Conti ransomware deployed against HSE IT systems reached operational technology environments including medical devices, building management systems, and diagnostic equipment, not through a direct OT exploit but through the IT-OT network boundary that was insufficiently segmented.
The HSE attack demonstrated that Irish OT infrastructure is reachable by Tier 3 threat actors — ransomware groups with no ICS-specific capability — through the IT network. The County Mayo attack demonstrated that Irish OT infrastructure is reachable by Tier 2 state-affiliated hacktivists — through direct internet exposure. Both pathways are confirmed. A Tier 1 state actor with ICS-specific capability (Sandworm, Volt Typhoon) has both pathways available to them, plus the ability to develop OT-specific tooling once they achieve the initial access.
THE THREAT TIER INVERSION: The security implication of HSE 2021 and County Mayo 2023 combined is that Irish OT has been successfully reached by actors at the lowest two capability tiers. The expected relationship — in which higher-capability actors face higher barriers — does not hold in the Irish OT context because the barriers are low across all pathways. Addressing the Tier 2 and Tier 3 exposure (network segmentation, credential management, patch management) simultaneously raises the barrier for Tier 1 actors. There is no separate mitigation programme required for Tier 1 — the same architectural controls that prevent the next County Mayo also prevent the initial access phase of a Volt Typhoon or Sandworm operation.
7.3 The Grid, Gas, and Data Infrastructure Context
Irish energy infrastructure presents a structurally different OT exposure profile from water utilities: the SCADA systems controlling EirGrid and ESB Networks transmission and distribution are operated by larger organisations with dedicated OT security resources, and the internet-exposure risk is lower for the primary SCADA infrastructure. However, three structural factors create persistent vulnerability:
Single gas import route: the Moffat interconnector from Scotland. Gas network control systems managing this single-point supply route have a disproportionate consequence profile — a successful attack on gas network OT is not a localised outage but a national supply disruption.
40% of transatlantic internet traffic terminates on the Irish west coast. The cable landing station infrastructure — primarily operated by commercial entities rather than CNI-regulated operators — includes OT equipment managing cable termination, power feed, and monitoring systems. The regulatory boundary between 'telecommunications' and 'critical infrastructure' has not been consistently applied to cable landing station OT.
70-plus large-scale data centres consuming approximately 21% of national electricity. Data centre operators have varying OT security maturity levels. Building management systems, uninterruptible power supply controls, and cooling management systems at data centres are OT environments with the same default credential and internet exposure risks as the water sector.
Source: EirGrid. Grid Development Strategy 2022. EirGrid plc. Dublin. CRU. Commission for Regulation of Utilities Annual Report 2023. NCSC-IE. Annual Report 2023. Dublin.
8. Conclusion — What County Mayo Means for Irish Infrastructure
The County Mayo attack is the most important Irish infrastructure security event since the HSE ransomware attack of 2021, and analytically more significant in what it reveals about the OT exposure landscape. The HSE attack was complex — a sophisticated ransomware deployment by a Tier 3 criminal organisation against a large IT network. County Mayo was simple: a Shodan search, a browser, and a factory password. The simplicity is the point.
If a Tier 2 hacktivist group conducting an indiscriminate global campaign against a specific equipment vendor can reach and disable an Irish water utility's pump station using commodity techniques in under an hour, then the barrier to OT effects against Irish infrastructure is lower than most risk assessments have assumed. The County Mayo attack did not require Ireland to be specifically targeted. It did not require knowledge of Irish infrastructure. It required only that an Irish utility was running equipment from a targeted vendor with default credentials on the public internet.
The remediation is proportionate to the cause. Seven actions — most of them zero or near-zero cost — address the vulnerability class that County Mayo exploited. They also raise the barrier against more capable adversaries who would use the same initial access pathway: network segmentation, credential management, authentication logging, and a maintained OT asset inventory are the foundations on which all higher-order OT security measures are built. A Volt Typhoon or Sandworm pre-positioning campaign requires initial network access — addressing the County Mayo access pathway closes one of the routes through which that initial access might be achieved.
The regulatory framework is now aligned with the technical requirement. CER Article 12/13 mandates the risk assessment and the proportionate measures. NIS2 Article 21 mandates the technical controls. The CRA from December 2027 prohibits the default password configuration that made the attack possible. The question for Irish water utilities, the CRU, and NCSC-IE is whether the regulatory implementation — the audit, the enforcement, and the remediation programme — will precede or follow the next attack.
County Mayo is confirmed: Ireland has been attacked. December 2023. IRGC-affiliated. Default credentials. CVE-2023-6448. CVSS 9.8. This is not a risk assessment scenario — it is a documented event.
The NCSC-IE national audit confirmed the pre-existing exposure was unknown. The audit was the first systematic exercise of its kind in Ireland. It was triggered by an attack, not by proactive risk management.
The seven remediation actions are available, proportionate, and in most cases zero-cost. An Irish water utility that has not implemented Actions 1-3 following AA23-335A is in regulatory non-compliance with NIS2 Article 21 and CER Article 13.
The implications for Tier 1 threat actors are direct. If Tier 2 reached Irish OT through a commodity pathway, Tier 1 actors face a lower barrier than the risk assessment community has assumed. Addressing the Tier 2 pathway simultaneously addresses the Tier 1 initial access risk.
The CRA procurement standard — insert now, before 2027. Every OT equipment procurement from 2025 onwards should contractually require CRA compliance. This is not a future obligation. It is current due diligence that prevents a mid-lifecycle replacement programme when CRA comes fully into force.
References and Primary Sources
All technical parameters, threat actor attributions, CVE data, incident facts, and regulatory references in this paper are sourced from the documents below.
CISA, FBI, FISA, EPA, NSA. Advisory AA23-335A: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors Including US Water and Wastewater Systems. 1 December 2023. Available: cisa.gov/news-events/cybersecurity-advisories/aa23-335a.
NIST National Vulnerability Database. CVE-2023-6448: Unitronics Vision Series PLC — Default Credentials. Published 1 December 2023. CVSS v3.1 Base Score: 9.8 Critical. Available: nvd.nist.gov/vuln/detail/CVE-2023-6448.
Unitronics. Security Advisory: UniStream/Vision Series Controllers — Remote Access Vulnerability. 26 November 2023. Available: unitronics.com/security-advisory.
Unitronics. Vision OPLC User Manual. Version 18.12. Chapter 7: Remote Access and Connectivity. Available: support.unitronics.com.
Municipal Water Authority of Aliquippa (Pennsylvania). Public Statement on Cyberattack. November 2023.
US House Homeland Security Committee. Hearing: The Cyber Threat to America's Water Systems Infrastructure. February 2024. Testimony of CISA Director Jen Easterly.
CISA. ICS Advisory ICSA-24-046-09: Unitronics Vision Series PLCs. February 2024.
Forescout Technologies. OT/ICS Threat Evolution Report. January 2024. Forescout Research — Vedere Labs.
CISA. Advisory AA24-038A: People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. February 2024.
IBM Security / Ponemon Institute. Cost of a Data Breach Report 2023. IBM Corporation. July 2023.
Verizon. 2023 Data Breach Investigations Report. Verizon Business. 2023. n=16,312 incidents.
NCSC-IE. Annual Report 2023. National Cyber Security Centre Ireland. Dublin. 2023.
NCSC-IE. Advisory: Unitronics Vision Series PLC Vulnerability. December 2023. Available: ncsc.gov.ie.
European Union. CER Directive: Directive (EU) 2022/2557 on the Resilience of Critical Entities. December 2022. Transposed into Irish law: S.I. 559/2024.
European Union. NIS2 Directive: Directive (EU) 2022/2555 on Measures for a High Common Level of Cybersecurity across the Union. December 2022.
European Union. Cyber Resilience Act: Regulation (EU) 2024/2847 on Horizontal Cybersecurity Requirements for Products with Digital Elements. October 2024.
IEC 62443-3-3:2013: Industrial Communication Networks — IT Security for Networks and Systems — Part 3-3: System Security Requirements and Security Levels. IEC. Geneva. 2013.
IEC 62443-2-1:2010: Industrial Communication Networks — Security for Industrial Automation and Control Systems — Part 2-1: Establishing an IACS Security Program. IEC. Geneva. 2010.
ENISA. Water Sector Cybersecurity Threat Landscape. European Union Agency for Cybersecurity. 2022.
EirGrid. Grid Development Strategy 2022. EirGrid plc. Dublin. 2022.
CRU. Commission for Regulation of Utilities Annual Report 2023. CRU. Dublin. 2023.
United States v. Joseph Sullivan. US District Court, Northern District of California. Conviction October 2022. (Personal liability precedent for security leadership non-disclosure decisions.)