- The Aliquippa Water District in western Pennsylvania, along with other U.S. water utilities, was the victim of an international cyberattack.
- Following the attack, U.S. security officials expressed concern about the vulnerability of water utilities to cyber threats.
- Despite growing threats, many water utilities, especially smaller ones, lack the funding and expertise needed for effective cybersecurity measures.
The tiny Aliquippa Water Authority in western Pennsylvania was perhaps the least likely victim of an international cyberattack.
The company has never received outside help to protect its systems from cyberattacks, either at its existing factory built in the 1930s or at its new $18.5 million factory.
Then, along with several other water utilities, it came under attack by Iranian-backed hackers, who federal officials say targeted equipment specifically because it was made in Israel.
“If you asked me to name 10 problems with our water department, this wouldn't be on the list,” said the manager, who manages water and sewage services for about 22,000 people who live in the surrounding forest suburbs. Water Board Chairman Matthew Motts said. A former steel town on the outskirts of Pittsburgh.
U.S. Department of Justice requests investigation into Pennsylvania water intrusion by foreign hackers
The hack of the Aliquippa Water District has prompted new warnings from U.S. security officials as states and the federal government grapple with how to protect water utilities from cyberattacks.
This photo shows the screen of a hacked Unitronics device in Aliquippa, Pennsylvania on November 25, 2023. The hacked device was located at a pump booster station owned by the Aliquippa City Water Department. The electronic phone cards left behind by the hackers suggest they chose their targets because they use components manufactured by Israeli companies. (Aliquippa City Water Department, via AP)
The danger, officials said, is that hackers could take control of automated equipment and reprogram automated chemical processes to stop pumps that provide drinking water or contaminate the water. Besides Iran, other potentially hostile geopolitical rivals are considered threats by US officials, including China.
Many states have called for increased oversight, but water agency advocates say what the sector of more than 50,000 water utilities really lacks is funding and expertise. However, most of them are municipalities like Aliquippa that provide services to some part of the water industry. The country has a low population and a shortage of cybersecurity experts.
Additionally, utilities say it is difficult to invest in cybersecurity when there is already a lack of funding to maintain water pipes and other water infrastructure, and some cybersecurity measures are being implemented by private water companies. This has led to a backlash from public authorities who say it is being used as a backdoor. Privatization.
Pennsylvania's water supply is under threat from hackers, the Water Bureau and Cybersecurity Bureau announce
In 2021, the federal government's leading cybersecurity agency reported five attacks on water utilities in two years, four of them by ransomware and a fifth by a former employee, giving the effort new urgency. tinged.
At Aliquippa authorities, Iranian hackers disabled remote control devices that monitor and adjust water pressure at pumping stations. Alerted by the alert, crews quickly switched to manual operation, so customers were unaffected, but not all water utilities have built-in manual backup systems.
Congressional inaction has led some states, including New Jersey and Tennessee, to pass legislation to increase cybersecurity oversight. Similar laws were passed in Indiana and Missouri before 2021. A 2021 California law mandates state security agencies to develop support and funding plans to improve cybersecurity in the agricultural and water sectors.
In several states, including Pennsylvania and Maryland, public water authorities opposed bills backed by private water companies, leading to their demise.
Private water companies say the bill would force public companies to comply with stricter regulatory standards imposed by the Utility Board, thereby increasing public confidence in the safety of tap water. It is claimed that
“This protects the nation's tap water,” said Jennifer Kocher, a spokeswoman for the National Association of Water Companies. “Water is the most economical option for most households, but at the same time there is a lack of trust from many people who think they can drink it, and each time these problems occur, trust in water is eroded. It also hurts people's motivation.'' Believe me, drink it. ”
Opponents say the bill would impose burdensome costs on public agencies and force boards and ratepayers to sell out to private companies that can persuade state utility rate commissions to raise rates to cover those costs. He said it was intended to encourage.
“This is a privatization bill,” Justin Fiore of the Maryland League of Cities told Maryland lawmakers during a hearing last spring. “They are trying to take over public water companies and privatize them by increasing burdens and cutting public funding.”
For many authorities, cybersecurity demands tend to overshadow the more pressing needs of residents wary of rising rates, such as aging water pipes and rising costs of complying with water regulations. .
One critic, Pennsylvania Sen. Katie Mass, a Democrat from Montgomery County, a suburb of Philadelphia, criticized the Republican-authored bill as lacking in funding.
“People are drinking substandard water, but selling it to companies who are going to raise their rates to families across the state who can't afford it is not the solution,” Muth said in a statement on the 2022 bill. I told my colleagues in a discussion.
Pennsylvania state Rep. Rob Mazzie, a Democrat whose district includes the Aliquippa Water District, said he would help water utilities and electric utilities pay for cybersecurity upgrades after looking for existing funding sources but not finding any. We are working on legislation that would create a funding source for this.
“Aliquippa Water and Sewer Authority? They don't have any money,” Mazzi said in an interview.
In March, the U.S. Environmental Protection Agency proposed new rules that would require states to conduct cybersecurity audits of their water systems.
It was short-lived.
A federal appeals court quickly blocked the rule, after a lawsuit was filed by the states of Arkansas, Missouri, and Iowa, alleging that the agency overstepped its authority. The EPA rescinded the rule in October, but Vice President for National Security Ann Neuberger told The Associated Press that the agency may have “identified vulnerabilities that have been targeted in recent weeks.” Ta.
Two groups representing public water authorities, the American Water Works Association and the National Rural Water Association, opposed the EPA rule and are currently sponsoring legislation in Congress that would address the issue differently.
One bill would develop a phased approach to regulation. This would place more requirements on larger or more complex water utilities. Another would be an amendment to the Farm Bill that would send federal agents known as “circuit riders” to small local water systems to help them detect and address cybersecurity weaknesses.
If Congress does nothing, the Safe Drinking Water Act standards from six years ago will still be in place. Both the EPA and cybersecurity analysts say the largely voluntary system has made minimal progress.
Meanwhile, states are in the midst of applying for grants from the $1 billion federal cybersecurity program, funding under the 2021 federal infrastructure law.
But water utilities will have to compete for funding with other utilities, hospitals, police departments, courts, schools, local governments and more.
Robert M. Lee, CEO of Dragos Inc., which specializes in cybersecurity for industrial control systems, said the Aliquippa Water District's story of a lack of cybersecurity support is common.
“That's the story of tens of thousands of utilities across the country,” Lee said.
Water hack in small Florida town blamed on Iran, just like Israel attack
That's why Dragos has started offering free access to online support and software to help water and power utilities with less than $100 million in revenue detect vulnerabilities and threats.
After Russia attacked Ukraine in 2022, Dragos tested the idea by spending millions of dollars deploying software, hardware and installations to 30 power companies.
“The response has been amazing,” Lee said. “You'd think, 'Hey, I think we can move the needle this way' … and those 30 people would say, 'Shit, no one's ever paid any attention to us. No one's asked us for help.' I was like, “I've never tried that.''
