US security officials are voicing concerns over cybersecurity protections of water utilities across the nation after hackers targeted the small Municipal Water Authority of Aliquippa in western Pennsylvania.
According to federal authorities, hackers with ties to Iran targeted a specific industrial control device that monitors and regulates water pressure, specifically for its origins in Israeli manufacturing.
“If you told me to list 10 things that would go wrong with our water authority, this would not be on the list,” said the chairman of the authority that’s in charge of water and wastewater in Aliquippa, Matthew Mottes.
Customers didn’t experience any disruptions because crews were alerted by an alarm, which prompted them to transition to manual operation. However. not all water authorities have such backup systems in place.
The Iranian-backed hackers also targeted other organizations, but authorities are yet to reveal the exact number.
“The victims span multiple US states,” the FBI, the Environmental Protection Agency, the Cybersecurity and Infrastructure Security Agency, and Israel’s National Cyber Directorate wrote in an advisory last month.
Officials are now warning of the risk that hackers may potentially disrupt water supply pumps or alter chemical treatments in drinking water. In addition to Iran, US authorities also believe that other geopolitical adversaries, including China, pose a serious cybersecurity risk.
Several states have been making efforts to boost surveillance and cybersecurity measures. But advocates for water authorities argue the real challenge is the lack of funding and expertise in this area, especially for the more than 50,000 water utilities across the country, many of which are small, local authorities serving less affluent communities where access to cybersecurity experts is limited.
Another issue is that water authorities are finding it challenging to allocate funds for cybersecurity as they’re spending a lot on maintaining and upgrading water infrastructure.
Private water companies have put forward some cybersecurity initiatives, but public authorities are concerned these measures might be a pretext for privatization. Justin Fiore of the Maryland Municipal League told Maryland lawmakers during a hearing last spring called it a “privatization bill.”
“They’re seeking to take public water companies, privatize them by expanding the burden, cutting out public funding,” Fiore added.
On the other hand, private companies argue that introducing stricter rules would force public companies to improve the security of their systems.
“It’s protecting the nation’s tap water. It is the most economical choice for most families, but it also has a lack of confidence from a lot of people who think they can drink it and every time there’s one of these issues it undercuts the confidence in water and it undercuts people’s willingness and trust in drinking it,” said Jennifer Kocher, a spokesperson for the National Association of Water Companies.