The Municipal Water Authority of Aliquippa, a small entity in western Pennsylvania, found itself an unexpected target of an international cyberattack. This water authority, responsible for serving around 22,000 people in the woodsy exurbs near Pittsburgh, had never sought external assistance to secure its systems against cyber threats, whether at its aging plant from the 1930s or the new $18.5 million facility under construction.
However, it became a victim, along with other water utilities, of what federal authorities claim were Iranian-backed hackers. These hackers were specifically targeting equipment because it was of Israeli origin.
The cyberattack on Aliquippa’s Municipal Water Authority has raised concerns among U.S. security officials. At a time when both states and the federal government are grappling with the challenge of fortifying water utilities against cyberattacks, the potential risks have been underscored. Authorities warn that hackers gaining control over automated equipment could disrupt water supply by shutting down pumps or compromise water quality by manipulating automated chemical treatment processes. Beyond Iran, other geopolitical adversaries such as China are also seen as potential threats by U.S. officials.
Several states have taken steps to enhance scrutiny of cybersecurity in response. However, advocates for water authorities argue that the sector, which includes over 50,000 utilities, mostly local entities serving regions with modest resources and a scarcity of cybersecurity professionals, lacks the necessary funding and expertise.
Moreover, investing in cybersecurity poses challenges when there is already underfunding for essential water infrastructure upkeep. Some cybersecurity measures have been promoted by private water companies, leading to resistance from public authorities who view them as potential pathways to privatization.
In 2021, the federal government’s top cybersecurity agency reported five attacks on water authorities over two years, including four ransomware attacks and one carried out by a former employee.
Efforts to address the issue have taken on greater urgency in some states, with New Jersey and Tennessee passing legislation aimed at bolstering cybersecurity. Indiana and Missouri had already passed similar laws before 2021. California enacted a law in 2021 that tasked state security agencies with developing plans to improve cybersecurity in the agriculture and water sectors.
However, legislation stalled in certain states, including Pennsylvania and Maryland, where public water authorities opposed bills supported by private water companies. Critics argued that such bills would impose burdensome costs on public authorities and potentially encourage their transition to private ownership, where utility commissions impose stricter regulatory standards, raising confidence in tap water safety.
The issue of cybersecurity often takes a back seat for many water authorities due to more pressing concerns such as aging infrastructure and the costs associated with compliance with clean water regulations. While the need for improved cybersecurity is recognized, funding remains a challenge.
Pennsylvania State Representative Rob Matzie, whose district includes the Aliquippa water authority, is working on legislation to create a funding source for water and electric utilities to address cybersecurity upgrades. He emphasized the lack of financial resources available to entities like the Aliquippa water authority.
The U.S. Environmental Protection Agency (EPA) proposed a rule in March requiring states to assess the cybersecurity of water systems. However, this rule faced legal challenges from three states—Arkansas, Missouri, and Iowa—which accused the EPA of exceeding its authority. A federal appeals court suspended the rule, and the EPA withdrew it in October. Nonetheless, some officials believe it could have identified vulnerabilities that were exploited in subsequent cyberattacks.
The American Water Works Association and the National Rural Water Association, representing public water authorities, have now endorsed bills in Congress aimed at addressing the cybersecurity issue through different approaches. One bill proposes tiered regulations, with greater requirements for larger or more complex water utilities. The other is an amendment to Farm Bill legislation that would send federal employees known as “circuit riders” to assist smaller and rural water systems in identifying and addressing cybersecurity vulnerabilities.
If Congress does not take action, the industry will continue to operate under six-year-old Safe Drinking Water Act standards, which are largely voluntary and have shown limited progress, according to both the EPA and cybersecurity experts.
States are currently applying for grants from a $1 billion federal cybersecurity program established under the 2021 federal infrastructure law. However, water utilities will be competing for these funds with other entities, including hospitals, police departments, courts, schools, and local governments.
Robert M. Lee, CEO of Dragos Inc., a cybersecurity firm specializing in industrial control systems, noted that the Aliquippa water authority’s situation is common for tens of thousands of utilities across the country. To address this issue, Dragos has started offering free access to online support and software designed to detect vulnerabilities and threats for water and electric utilities with revenue below $100 million.
After Russia’s attack on Ukraine in 2022, Dragos provided software, hardware, and installation to 30 utilities at a cost of a few million dollars. The feedback was overwhelmingly positive, highlighting the importance of addressing the cybersecurity needs of such utilities that often receive minimal attention and support.
