HARRISBURG, Pa. — The small Aliquippa water authority in western Pennsylvania was perhaps the least suspected victim of an international cyberattack.
It has never had outside help protecting its systems from a cyberattack, either in its existing 1930s factory or in the new $18.5 million factory it is building.
Then it was hit — along with several other water companies — by what federal authorities say were Iranian-backed hackers who specifically targeted a device because it was Israeli-made.
“If you told me to list 10 things that would go wrong with our water authority, this wouldn't be on the list,” said Matthew Mottes, the chairman of the authority that provides water and wastewater to about 22,000 people in the wooded suburbs around it. a former steel town outside Pittsburgh.
The hacking of the Aliquippa Municipal Water Authority is prompting new warnings from U.S. security officials at a time when states and the federal government are grappling with how to protect water utilities from cyberattacks.
The danger, officials say, is that hackers could gain control of automated equipment to disable pumps that supply drinking water or contaminate drinking water by reprogramming automated chemical treatments. In addition to Iran, other potentially hostile geopolitical rivals, including China, are seen as threats by U.S. officials.
A number of states have tried to tighten oversight, though water board advocates say the money and expertise are effectively lacking in an industry with more than 50,000 water utilities, most of which are local governments in remote corners of the world, like Aliquippa's. operate. the country where residents have modest resources and cybersecurity professionals are scarce.
In addition, utilities say it is difficult to invest in cybersecurity when maintenance of pipes and other water infrastructure is already underfunded, and some cybersecurity measures have been implemented by private water companies, prompting government backlash that it is being used as a backdoor to privatization .
The effort took on new urgency in 2021 when the federal government's leading cybersecurity agency reported five attacks on water authorities in two years, four of which involved ransomware and a fifth by a former employee.
At the Aliquippa authority, Iranian hackers disabled a remote-controlled device that monitors and controls water pressure at a pumping station. Customers were not affected by this as crews alerted by an alarm quickly switched to manual operation – but not every water board has a built-in manual backup system.
In the absence of Congress' action, a handful of states have passed legislation to increase cybersecurity oversight, including New Jersey and Tennessee. Before 2021, Indiana and Missouri had passed similar laws. A 2021 California law directed state security agencies to develop outreach and financing plans to improve cybersecurity in the agriculture and water sectors.
The legislation died in several states, including Pennsylvania and Maryland, where public water authorities fought bills backed by private water companies.
Private water utilities say the bills would force their public counterparts to adhere to the stricter regulatory standards that private companies face by utility commissions, and as a result, increase public confidence in the safety of tap water.
“It protects the nation's tap water,” said Jennifer Kocher, spokesperson for the National Association of Water Companies. “It is the most economical choice for most families, but it also leads to a lack of confidence among many people who think they can drink it, and every time there is one of these problems it undermines confidence in water and it undermines people's willingness and willingness to drink water. confidence in drinking it.”
Opponents say the legislation is intended to impose burdensome costs on governments and their boards and encourage taxpayers to sell out to private companies that can convince state-owned company commissions to raise rates to cover the costs.
“This is a privatization bill,” Justin Fiore of the Maryland Municipal League told Maryland lawmakers at a hearing last spring. “They are trying to take over public water companies, privatize them by increasing burdens and cutting public financing.”
For many authorities, cybersecurity demands tend to fade into the background of more pressing needs of residents wary of rate increases: aging pipes and rising costs to comply with clean water regulations.
One critic, Pennsylvania state Sen. Katie Muth, a Democrat from Montgomery County in suburban Philadelphia, criticized a bill drafted by the Republican Party for lack of funding.
“People are drinking substandard water, but selling out to companies that are going to raise rates for families in our state who can't afford it is not a solution,” Muth told colleagues during a floor debate on a 2022 bill.
Pennsylvania state Rep. Rob Matzie, a Democrat whose district includes the Aliquippa Water Authority, is working on legislation to create a funding stream to help water and electric utilities pay for cybersecurity upgrades, after moving to a had looked for an existing source of financing and had not found it.
“The Aliquippa Water and Sewer Authority? They don't have the money,” Matzie said in an interview.
In March, the U.S. Environmental Protection Agency proposed a new rule to require states to monitor the cybersecurity of water systems.
It was short-lived.
Three states — Arkansas, Missouri and Iowa — sued, accusing the agency of exceeding its authority. A federal appeals court immediately suspended the rule. The EPA withdrew the rule in October, although a deputy national security adviser, Anne Neuberger, told The Associated Press that it could have “identified vulnerabilities that have been targeted in recent weeks.”
Two groups representing public water authorities, the American Water Works Association and the National Rural Water Association, opposed the EPA rule and are now supporting bills in Congress to address the issue in different ways.
One bill would roll out a layered approach to regulations: more requirements for larger or more complex water companies. The other is an amendment to the Farm Bill legislation to send federal workers, called “circuit riders,” into the field to help smaller and rural water systems identify and address cybersecurity weaknesses.
If Congress doesn't act, the six-year-old Safe Drinking Water Act standards will still be in effect — a largely voluntary regime that has produced minimal progress, according to both the EPA and cybersecurity analysts.
Meanwhile, states are in the process of applying for grants from a $1 billion federal cybersecurity program, money from the 2021 federal infrastructure law.
But water utilities will have to compete for money with other utilities, hospitals, police departments, courts, schools, local governments and others.
Robert M. Lee, CEO of Dragos Inc., which specializes in cybersecurity for industrial control systems, said the Aliquippa Water Authority's narrative — that it had no cybersecurity help — is common.
“That story involves tens of thousands of utilities across the country,” Lee said.
That's why Dragos has started offering free access to its online support and software that helps detect vulnerabilities and threats for water and electric utilities that generate less than $100 million in revenue.
After Russia attacked Ukraine in 2022, Dragos tested the idea by rolling out software, hardware and installation at a cost of a few million dollars to 30 utilities.
“It's been great, the feedback,” Lee said. “You wonder, 'Hey, I think I can move the needle this way'… and those thirty said, 'Holy crap, no one ever paid attention to us. No one ever tried to help us .'”
___
Follow Marc Levy at www.twitter.com/timelywriter.