The tiny Aliquippa water authority in western Pennsylvania was perhaps the least-suspecting victim of an international cyberattack.
Then it - along with several other water utilities - was struck by what federal authorities say are Iranian-backed hackers targeting a piece of equipment specifically because it was Israeli-made.
The hacking of the Municipal Water Authority of Aliquippa is prompting new warnings from U.S. security officials at a time when states and the federal government are wrestling with how to harden water utilities against cyberattacks.
The danger, officials say, is hackers gaining control of automated equipment to shut down pumps that supply drinking water or contaminate drinking water by reprogramming automated chemical treatments.
A number of states have sought to step up scrutiny, although water authority advocates say the money and the expertise are what is really lacking for a sector of more than 50,000 water utilities, most of which are local authorities that, like Aliquippa's, serve corners of the country where residents are of modest means and cybersecurity professionals are scarce.
Utilities say, it's difficult to invest in cybersecurity when upkeep of pipes and other water infrastructure is already underfunded, and some cybersecurity measures have been pushed by private water companies, sparking pushback from public authorities that it is being used as a back door to privatization.
Efforts took on new urgency in 2021 when the federal government's leading cybersecurity agency reported five attacks on water authorities over two years, four of them ransomware and a fifth by a former employee.
At the Aliquippa authority, Iranian hackers shut down a remotely controlled device that monitors and regulates water pressure at a pumping station.
Customers weren't affected because crews alerted by an alarm quickly switched to manual operation - but not every water authority has a built-in manual backup system.
A 2021 California law commissioned state security agencies to develop outreach and funding plans to improve cybersecurity in the agriculture and water sectors.
Legislation died in several states, including Pennsylvania and Maryland, where public water authorities fought bills backed by private water companies to force them to upgrade various aspects of their infrastructure, including pipes and cybersecurity measures.
Private water companies say the bills would force their public counterparts to abide by the stricter regulatory standards that private companies face from utility commissions and, as a result, boost public confidence in the safety of tap water.
For many authorities, the demands of cybersecurity tend to fade into the background of more pressing needs for residents wary of rate increases: aging pipes and increasing costs to comply with clean water regulations.
Pennsylvania state Rep. Rob Matzie, a Democrat whose district includes the Aliquippa water authority, is working on legislation to create a funding stream to help water and electric utilities pay for cybersecurity upgrades after he looked for an existing funding source and found none.
In March, the U.S. Environmental Protection Agency proposed a new rule to require states to audit the cybersecurity of water systems.
Two groups that represent public water authorities, the American Water Works Association and the National Rural Water Association, opposed the EPA rule and now are backing bills in Congress to address the issue in different ways.
One bill would roll out a tiered approach to regulation: more requirements for bigger or more complex water utilities.
If Congress does nothing, 6-year-old Safe Drinking Water Act standards will still be in place - a largely voluntary regime that both the EPA and cybersecurity analysts say has yielded minimal progress.
Water utilities will have to compete for the money with other utilities, hospitals, police departments, courts, schools, local governments and others.
Robert M. Lee, CEO of Dragos Inc., which specializes in cybersecurity for industrial-control systems, said the Aliquippa water authority's story - that it had no cybersecurity help - is common.
This Cyber News was published on www.securityweek.com. Publication date: Tue, 02 Jan 2024 22:43:05 +0000