The small Aliquippa water utility in western Pennsylvania may be the least suspicious victim of a foreign cyberattack.
It had never had outside help in protecting its systems from a cyberattack, either at its existing plant that dates to the 1930s or the new $18.5 million one it is building.
Then, along with several other water companies, it was attacked by Iranian-backed hackers who targeted particular appliances because they were Israeli-made.
“If you told me to list 10 things that could be approved in our water department, they wouldn’t be on the list,” said Matthew Mottes, president of the authority that manages water and wastewater for about 22,000 other people in the wooded suburbs of the surroundings. . an old metal from the open air city of Pittsburgh.
US JUSTICE DEPARTMENT URGED TO INVESTIGATE AFTER FOREIGN HACKERS BREACH PENNSYLVANIA WATER SUPPLY
Aliquippa Municipal Water Authority Hack Triggers New Warnings From U. S. Security OfficialsThe U. S. water supply comes at a time when states and the federal government are grappling with how to protect water utilities that oppose cyberattacks.
This photo shows the screen of a Unitronics device that was hacked in Aliquippa, Pa. , on Nov. 25, 2023. The hacked device is located at a booster pumping station owned by the Aliquippa Municipal Water Authority. An electronic business card left behind by the hackers suggests that they chose their target because it uses parts manufactured through an Israeli company. (Aliquippa Municipal Water Authority via AP)
The danger, officials say, is that hackers could use automated devices to shut down pumps that supply drinking water or contaminate drinking water by reprogramming automated chemical treatments. In addition to Iran, other potentially hostile geopolitical rivals, including China, are detected through the United States. officials as a threat.
A number of states have sought to step up scrutiny, although water authority advocates say the money and the expertise are what is really lacking for a sector of more than 50,000 water utilities, most of which are local authorities that, like Aliquippa’s, serve corners of the country where residents are of modest means and cybersecurity professionals are scarce.
In addition, utilities say, it’s tricky to invest in cybersecurity when pipelines and other water infrastructure are no longer underfunded, and some cybersecurity measures have been pushed through private water companies, leading to public government reluctance that they are being used as a backdoor. . privatization.
PENNILSYLVANIA’S WATER SUPPLY IS UNDER THREAT AFTER HACKERS ATTACK WATER AUTHORITY, CYBERSECURITY AGENCY SAYS
The efforts took on new urgency in 2021, when the most sensible federal cybersecurity firm reported five attacks on the water government in two years, four of them ransomware and a fifth through a former employee.
At the Aliquippa authority, Iranian hackers shut down a remotely controlled device that monitors and regulates water pressure at a pumping station. Customers weren’t affected because crews alerted by an alarm quickly switched to manual operation — but not every water authority has a built-in manual backup system.
With inaction in Congress, a handful of states passed legislation to step up scrutiny of cybersecurity, including New Jersey and Tennessee. Before 2021, Indiana and Missouri had passed similar laws. A 2021 California law commissioned state security agencies to develop outreach and funding plans to improve cybersecurity in the agriculture and water sectors.
The law died in several states, in addition to Pennsylvania and Maryland, where the public water government fought subsidized spending through private water companies.
Private water companies say the bills would force their public counterparts to abide by the stricter regulatory standards that private companies face from utility commissions and, as a result, boost public confidence in the safety of tap water.
“It’s protecting the nation’s tap water,” said Jennifer Kocher, a spokesperson for the National Association of Water Companies. “It is the most economical choice for most families, but it also has a lack of confidence from a lot of people who think they can drink it and every time there’s one of these issues it undercuts the confidence in water and it undercuts people’s willingness and trust in drinking it.”
Opponents said the law is designed to impose onerous prices on the public government and inspire its forums and taxpayers to sell out to corporations that can convince state forums of requests to raise fees to cover prices.
“This is a privatization bill,” Justin Fiore of the Maryland Municipal League told Maryland lawmakers at a hearing last spring. “They need to take over the public water companies, privatise them by expanding the burden and cutting public funding. “
For many authorities, cybersecurity needs tend to fade in favor of more pressing desires of citizens wary of rate increases: aging pipes and emerging prices to comply with drinking water regulations.
One critic, Pennsylvania state Sen. Katie Muth, a Democrat from the Philadelphia suburb of County, criticized a bill drafted through the Republican Party for its lack of funding.
“People are drinking poor quality water, but touting it to corporations that are going to raise rates for families across our state who can’t is not a solution,” Muth told colleagues during debate on a 2022 bill.
Pennsylvania State Rep. Rob Matzie, a Democrat whose district includes the Aliquippa Water Authority, is running for law to create an investment stream for water and electric utilities to fund cybersecurity innovations after looking for an existing source of investment and finding none.
“The Aliquippa Water and Sewerage Company? They don’t have the money,” Matzie said in an interview.
In March, the U.S. Environmental Protection Agency proposed a new rule to require states to audit the cybersecurity of water systems.
It was short-lived.
Three states — Arkansas, Missouri and Iowa — filed lawsuits, accusing the company of overstepping its authority, and a federal appeals court temporarily suspended the rule. The EPA withdrew that rule in October, even though a deputy national security adviser, Anne Neuberger, told The Associated Press that it may have “identified vulnerabilities that have been attacked in recent weeks. “
Two teams that make up public water authorities, the American Waterworks Association and the National Rural Water Association, opposed the EPA’s rule and are now supporting spending in Congress to meet the challenge in other ways.
A bill would put in place a tiered regulatory approach: more needs for larger or more complex water utilities. The other is an amendment to the Farm Bill to send federal workers called “circuit riders” to the box for the smaller rural water systems they stumble upon. and addressing cybersecurity weaknesses.
If Congress does nothing, 6-year-old Safe Drinking Water Act standards will still be in place — a largely voluntary regime that both the EPA and cybersecurity analysts say has yielded minimal progress.
Meanwhile, states are in the process of applying for grants for a billion-dollar federal cybersecurity program, in cash from the Federal Infrastructure Act of 2021.
But water utilities will have to compete for cash with utility companies, hospitals, police departments, courts, schools, local governments and courts.
Robert M. Lee, chief executive of Dragos Inc. , which specializes in cybersecurity for commercial systems, said the story of the Aliquippa Water Authority (which had no assistance with cybersecurity) was common.
“That story is tens of thousands of utilities across the country,” Lee said.
HACKING OF WATER SUPPLY IN A SMALL FLORIDA CITY, ATTACK SIMILAR TO THE ISRAELI, BLAMES IRAN
For this reason, Dragos has begun providing flexible access to its online software, which is helping to detect vulnerabilities and threats to water and electric utilities that generate less than $100 million in revenue. income.
After Russia attacked Ukraine in 2022, Dragos tested the idea by rolling out software, hardware and installation at a cost of a couple million bucks for 30 utilities.
“The results are incredible,” Lee said. You wonder, ‘Hey, I think I can move the needle this way’. . . And those other 30 people were like, ‘Shit, nobody paid attention to us. No one has tried to get us help. ‘”