Cyberattacks By Iran Actors Expose Vulnerability Of U.S. Water Systems

ACROSS AMERICA — A cyberattack on the water utility of a tiny western Pennsylvania town, one of several similar intrusions in multiple U.S. states late last year as the Israel-Hamas war escalated, has renewed debate over how to harden critical infrastructure and ensure that when Americans turn on the tap, clean, safe water will flow.

In early December, federal cybersecurity authorities confirmed “victims in multiple U.S. states” of Iranian-backed hackers targeting a piece of equipment commonly used by water utilities specifically because it was Israeli-made.

The advisory, from the FBI, the Environmental Protection Agency, and the Cybersecurity and Infrastructure Security Agency (CISA), did not say how many organizations had been hacked or describe them in any way.

At the Aliquippa, Pennsylvania, water authority, Iranian hackers shut down a remotely controlled device that monitors and regulates water pressure at a pumping station. Customers weren't affected because crews alerted by an alarm quickly switched to manual operation — but not every water authority has a built-in manual backup system.

“If you told me to list 10 things that would go wrong with our water authority, this would not be on the list,” said Matthew Mottes, the chairman of the authority that handles water and wastewater for about 22,000 people in the woodsy exurbs around a one-time steel town outside Pittsburgh.

It had never had outside help in protecting its systems from a cyberattack, either at its existing plant that dates to the 1930s or the new $18.5 million one it is building.

The attacks are “really a clarion call for every organization running operational technology to focus on solving critically important basic steps,” Eric Goldstein, executive assistant director for cybersecurity at CISA, told reporters in early December.

The danger, officials say, is hackers gaining control of automated equipment to shut down pumps that supply drinking water or contaminate drinking water by reprogramming automated chemical treatments. Besides Iran, other potentially hostile geopolitical rivals, including China, are viewed by U.S. officials as a threat.

The EPA Warned This Could Happen

A proposed federal rule last year would have required states to audit the vulnerability of their water systems to such attacks, but the EPA withdrew the proposal after three states sued, claiming the agency overstepped its authority. The proposed audits could have “identified vulnerabilities that were targeted in recent weeks,” EPA Deputy National Security Adviser Anne Neuberger told The Associated Press.

Such threats predate the Israel-Hamas war, dating back to at least 2021 when CISA reported five attacks on water authorities over two years, four of them ransomware and a fifth by a former employee.

Some states responded swiftly. At least five —California, Indiana, Missouri, New Jersey, and Tennessee — have increased scrutiny of cybersecurity in critical infrastructure in recent years, some before the 2021 cyberattacks. Similar measures failed in several other states, including Maryland and Pennsylvania.

In general, private water companies say the bills would force their public counterparts to abide by the stricter regulatory standards that private companies face from utility commissions and, as a result, boost public confidence in the safety of tap water.

“It’s protecting the nation’s tap water,” said Jennifer Kocher, a spokesperson for the National Association of Water Companies. “It is the most economical choice for most families, but it also has a lack of confidence from a lot of people who think they can drink it and every time there’s one of these issues it undercuts the confidence in water and it undercuts people's willingness and trust in drinking it.”

Opponents argue stricter regulations foist burdensome costs onto public authorities and encourage their boards and ratepayers to sell out to private companies that can persuade state utility commissions to raise rates to cover the costs.

For many authorities, the demands of cybersecurity tend to fade into the background of more pressing needs for residents, wary of rate increases to replace aging pipes and increasing costs to comply with clean water regulations. Water authority advocates say the money and the expertise are what is really lacking for a sector of more than 50,000 water utilities, most of which are local authorities that, like Aliquippa’s, serve corners of the country where residents are of modest means and cybersecurity professionals are scarce.

2 Bills In Congress

Two industry groups representing public utilities — the American Water Works Association and the National Rural Water Association — opposed the EPA audit proposal, but are backing bills in Congress to address the cybersecurity threat in other ways.

The level of cybersecurity sophistication varies among the nation’s 153,000 public drinking water systems. One proposed bill backed by the groups would roll out a tiered approach to regulation, with more requirements for bigger or more complex water utilities.

The other is an amendment to Farm Bill legislation to send federal employees called “circuit riders” into the field to help smaller and rural water systems detect and address cybersecurity weaknesses.

If Congress does nothing, six-year-old Safe Drinking Water Act standards will still be in place — a largely voluntary regime that the EPA and cybersecurity analysts say has yielded minimal progress.

Competition For Federal Grants

Meanwhile, states are in the midst of applying for grants from a $1 billion federal cybersecurity program with money from the 2021 federal infrastructure law. Water utilities, though, must compete with hospitals, police departments, courts, schools, local governments and others for the same pool of money.

That could leave bit players like the Aliquippa water authority at a competitive disadvantage. The authority’s story — that it had no cybersecurity help — is common, Robert M. Lee, CEO of Dragos Inc., which specializes in cybersecurity for industrial-control systems, told the AP.

His company offers free access to its online support and software that helps detect vulnerabilities and threats for water and electric utilities that draw under $100 million in revenue.

Applications for the most recent round of funding closed on Sept. 30.

The Associated Press contributed reporting.