• 
  Aliquippa Water Authority in western Pennsylvania, as well as other U.S. utilities of water, became victims of a cyberattack.
  
• 
  U.S. officials were concerned about the vulnerability to cyber-attacks of U.S. water utilities.
  
• 
  Despite increasing threats, many water utilities lack the funds and expertise to implement effective cybersecurity measures.
  

Aliquippa Water Authority in Western Pennsylvania , a tiny water authority located in west Pennsylvania , was the victim of a cyberattack that came from an unknown country.

It never received outside assistance in protecting its system from a cyberattack at either its existing plant, which dates back to the 1930s, or the new $18.5-million one that it is currently building.

It was then, along with other water utilities, targeted by hackers who federal authorities claim are Iranian-backed. They were targeting an Israeli-made piece of equipment.

Matthew Mottes is the chairman of the authority which handles water and waste water for 22,000 residents in the wooded exurbs surrounding a former steel town near Pittsburgh.

US DEPARTMENT OF JUSTICE URGED TO INVESTIGATE AFTER FOREIGN HATER BREACHED PENNSYLVANIA’S WATER SUPPLY

U.S. officials are warning about the hacking of Aliquippa Municipal Water Authority at a moment when the states and federal government are battling over how to protect water utilities from cyberattacks.

Officials say that hackers could gain control of automated equipment and shut down drinking water pumps or contaminate water by reprogramming chemical treatment machines. The U.S. government views other geopolitical competitors, such as China as a potential threat.

The number of states that have increased their scrutiny is increasing, but water authority advocates claim the real problem is the lack of money and expertise. This sector includes more than 50,000 local water utilities. Most of these are local authorities, such as Aliquippa, which serve areas of the nation where residents live on modest incomes and cybersecurity experts are rare.

Utility companies say it’s hard to invest in cybersecurity if the upkeep of water pipes and infrastructure is already underfunded. Some cybersecurity measures were pushed by private water firms, prompting public authorities to push back, claiming that they are being used as a way to privatize.

CYBERSECURITY AGENCY: PENNSYLVANIA’S WATER SUPPLY IS THREATENED AFTER ATTACKERS TARGET THE WATER AUTHORITY

In 2021, efforts took on a new urgency when the leading federal cybersecurity agency reported that five attacks had been made on water authorities in two years. Four of these were ransomware attacks and one was by a former worker.

Iranian hackers took down a remote-controlled device at the Aliquippa authority that monitored and regulated water pressure in a pumping facility. The customers were not affected by the hack because crews quickly switched over to manual operation when they heard an alarm. However, not all water authorities have a manual backup system.

New Jersey, Tennessee, and other states have passed laws to increase the scrutiny of cybersecurity due to inaction by Congress. Indiana and Missouri passed similar laws before 2021. California’s 2021 law required state security agencies develop funding and outreach plans to improve cybersecurity for agriculture and water.

In several states, such as Pennsylvania and Maryland, public water authorities opposed bills supported by private water companies.

The private water companies claim that the bills will force their public counterparts, who are subject to the same stricter standards as the private water companies, to adhere by utility commissions’ regulations. This, they say, would boost public confidence about the safety of tapwater.

Jennifer Kocher, spokesperson for the National Association of Water Companies said that the system protects the tap water of the United States. It is the most cost-effective option for many families. However, it has also caused a lack in confidence among those who believe they can drink the water. Every time one of these problems occurs, it undermines confidence in the water and the willingness of people to drink it.

The opponents said that the legislation was designed to force burdensome costs on public authorities, and to encourage their boards and ratespayers to sell to private companies who can convince state utility commissions of the need to increase rates.

Justin Fiore, of the Maryland Municipal League, told Maryland legislators during an hearing in spring last year that “This is privatization legislation.” “They are trying to privatize public water companies by increasing the burden and cutting public funding.”

Many authorities tend to put cybersecurity on the back burner in favor of other pressing issues, such as aging pipes or the rising costs of complying with water regulations.

Katie Muth of Montgomery County in suburban Philadelphia, a Democrat, criticized a GOP bill as lacking funding.

“People drink water that’s below standards. But selling out to corporations, who will raise rates for families in our state who can’t afford it, isn’t a solution,” Muth said to colleagues during a floor debate about a bill 2022.

Pennsylvania state Rep. Rob Matzie is a Democrat whose Aliquippa district includes the Aliquippa Water Authority. He has been working on legislation that will create a new funding source to help water and electricity utilities pay for cybersecurity updates after he searched for existing funding sources and found none.

The Aliquippa Water and Sewer Authority? Matzie stated in an interview that they don’t have any money.

The U.S. Environmental Protection Agency (EPA) proposed a rule in March that would require all states to conduct an audit of the security of their water systems.

The short-lived nature of the event

Three states, Arkansas, Missouri, and Iowa, sued the agency, accusing it of exceeding its authority. A federal appeals court suspended the rule immediately. The EPA retracted the rule in October. However, a deputy national-security adviser, Anne Neuberger told The Associated Press it may have “identified vulnerability that was targeted in recent week.”

The American Water Works Association (AWWA) and the National Rural Water Association (NRWA), two groups representing public water authorities that oppose the EPA regulation, are now supporting bills in Congress which address the issue differently.

The first bill would introduce a tier system of regulation, with more stringent requirements for larger or more complex utilities. Another amendment to Farm Bill legislation would send federal employees, called “circuit-riders”, into the field to assist smaller and rural water utilities detect cybersecurity vulnerabilities and fix them.

If Congress doesn’t act, the Safe Drinking Water Act will remain in effect for another six years. This voluntary system has been criticized by both cybersecurity analysts and the EPA as having made minimal progress.

States are currently applying for grant money under a federal $1 billion cybersecurity program. The funds come from the 2021 federal Infrastructure Law.

Water utilities will be competing for money with hospitals, police departments and courts, as well as other utilities.

Robert M. Lee is the CEO of Dragos Inc. which specializes on cybersecurity for industrial control systems. He said that Aliquippa’s story – that they had no cybersecurity assistance – was common.

Lee stated that “that story is true for tens and thousands of utilities throughout the country.”

HACK OF WATER SUPPLY IN SMALL FLORIDA TOWN SIMILAR TO ISRAELI ATTACK BLAMED ON IRAN

Dragos offers free online support to utilities with revenues below $100 million. This software helps them detect vulnerabilities and threats.

Dragos, after Russia invaded Ukraine in 2022 tested the idea with software, hardware, and installation for a couple of million dollars.

Lee described the feedback as “amazing”. “You think, hey, I think I can change the needle this way”… but those 30 people were like, “Holy crap, nobody has ever paid attention to me.” No one has ever asked for help.