States, Congress wrestle with cybersecurity after Iran hacks small-town water utilities
HARRISBURG, Pa. — The tiny Aliquippa water authority in western Pennsylvania was perhaps the least-suspecting victim of an international cyberattack.
It had never had outside help in protecting its systems from a cyberattack, either at its current plant, which dates to the 1930s, or at a new $18.5-million one that is being built.
Then the agency — along with several other water utilities — was struck by what federal authorities say are Iranian-backed hackers who were targeting a piece of equipment specifically because it was Israeli-made.
“If you told me to list 10 things that would go wrong with our water authority, this would not be on the list,” said Matthew Mottes, chairman of the authority that handles water and wastewater for about 22,000 people in the woodsy exurbs around a onetime steel town outside Pittsburgh.
The hacking of the Municipal Water Authority of Aliquippa is prompting warnings from U.S. security officials at a time when states and the federal government are wrestling with how to harden water utilities against cyberattacks. The danger, officials say, is hackers gaining control of automated equipment to shut down pumps that supply drinking water or contaminate drinking water by reprogramming automated chemical treatments. Besides Iran, other potentially hostile geopolitical rivals, including China, are viewed by U.S. officials as a threat.
A number of states have sought to step up scrutiny, although experts say money and expertise are lacking for more than 50,000 water utilities, most of which are local authorities that, like Aliquippa’s, serve areas of the country where residents are of modest means and cybersecurity professionals are scarce.
Additionally, utilities say, it’s difficult to invest in cybersecurity when upkeep of water infrastructure is underfunded. Some cybersecurity measures have been pushed by private water companies, sparking pushback from public authorities that the issue is being used as a back door to privatization.
The efforts took on urgency in 2021, when the federal government’s leading cybersecurity agency reported five attacks on water authorities over two years, four via ransomware and the other by a former employee.
At the Aliquippa authority, Iranian hackers shut down a remotely controlled device that monitors and regulates water pressure at a pumping station. Customers weren’t affected because crews, alerted by an alarm, quickly switched to manual operation — but not every water authority has a built-in manual backup system.
With inaction in Congress, a handful of states, including New Jersey and Tennessee, passed legislation to step up cybersecurity. Before 2021, Indiana and Missouri passed similar laws. A 2021 California law commissioned state security agencies to develop outreach and funding plans to improve cybersecurity in the agriculture and water sectors.
Similar legislation died in several states, including Pennsylvania and Maryland, where public water authorities fought bills backed by private water companies to force them to upgrade aspects of their infrastructure, including pipes and cybersecurity measures.
Private water companies say such bills would force their public counterparts to abide by the stricter regulatory standards they face from utility commissions and, as a result, boost public confidence in the safety of tap water.
“It’s protecting the nation’s tap water,” said Jennifer Kocher, a spokesperson for the National Assn. of Water Cos. “It is the most economical choice for most families, but it also has a lack of confidence from a lot of people who think they can drink it, and every time there’s one of these issues, it undercuts the confidence in water, and it undercuts people’s willingness and trust in drinking it.”
Opponents said the legislation is designed to foist burdensome costs onto public authorities and encourage their boards and ratepayers to sell out to private companies that can persuade state utility commissions to raise rates to cover the costs.
“This is a privatization bill,” Justin Fiore of the Maryland Municipal League told state lawmakers during a hearing last spring. “They’re seeking to take public water companies, privatize them by expanding the burden, cutting out public funding.”
For many authorities, the demands of cybersecurity fade into the background of more pressing needs for residents wary of rate increases: aging pipes and increasing costs to comply with clean water regulations.
One critic, Pennsylvania state Sen. Katie Muth, a Democrat from Montgomery County, criticized a GOP-penned bill for lacking funding.
“People are drinking water that is below standards, but selling out to corporations who are going to raise rates on families across our state who cannot afford it is not a solution,” Muth told colleagues during floor debate on a 2022 bill.
Pennsylvania state Rep. Rob Matzie, a Democrat whose district includes the Aliquippa water authority, is working on legislation to create a funding stream to help water and electric utilities pay for cybersecurity upgrades after he looked for an existing funding source and found none.
“The Aliquippa water and sewer authority? They don’t have the money,” Matzie said in an interview.
In March, the U.S. Environmental Protection Agency proposed a rule to require states to audit the cybersecurity of water systems. It was short-lived. Three states — Arkansas, Missouri and Iowa — sued, accusing the agency of overstepping its authority, and a federal appeals court promptly suspended the rule. The EPA withdrew the rule in October, although a deputy national security advisor, Anne Neuberger, told the Associated Press that it could have “identified vulnerabilities that were targeted in recent weeks.”
Two groups that represent public water authorities, the American Water Works Assn. and the National Rural Water Assn., opposed the EPA rule and are backing bills in Congress to address the issue in different ways.
One bill would roll out a tiered approach to regulation: more requirements for bigger or more complex water utilities. The other is an amendment to the Farm Bill that would send federal employees called “circuit riders” into the field to help smaller and rural water systems detect and address cybersecurity weaknesses.
If Congress does nothing, 6-year-old Safe Drinking Water Act standards will remain in place — a largely voluntary regime that both the EPA and cybersecurity analysts say has yielded minimal progress.
Meanwhile, states are applying for grants from a $1-billion federal cybersecurity program, funded by the 2021 federal infrastructure law. But water utilities will have to compete for the money with other utilities, hospitals, police departments, courts, schools, local governments and others.
Robert M. Lee, chief executive of Dragos Inc., which specializes in cybersecurity for industrial-control systems, said the Aliquippa water authority’s lack of cybersecurity help is common.
“That story is tens of thousands of utilities across the country,” Lee said.
Because of that, Dragos has begun offering free access to its online support and software that helps detect vulnerabilities and threats for water and electric utilities that draw less than $100 million in annual revenue.
After Russia attacked Ukraine in 2022, Dragos tested the idea by rolling out software, hardware and installation, at a cost of around $2 million, for 30 utilities.
“It was amazing, the feedback,” Lee said. “You wonder, ‘Hey, I think I can move the needle in this way’ ... and those 30 were like, ‘Holy crap, no one’s ever paid attention to us. No one’s ever tried to get us help.’”
More to Read
Sign up for Essential California
The most important California stories and recommendations in your inbox every morning.
You may occasionally receive promotional content from the Los Angeles Times.