El Dorado News-Times

States and Congress wrestle with cybersecur­ity after Iran attacks small town water utilities

- Follow Marc Levy at www.twitter.com/timelywrit­er. MARC LEVY

HARRISBURG, Pa. (AP) — The tiny Aliquippa water authority in western Pennsylvan­ia was perhaps the least-suspecting victim of an internatio­nal cyberattac­k.

It had never had outside help in protecting its systems from a cyberattac­k, either at its existing plant that dates to the 1930s or the new $18.5 million one it is building.

Then it — along with several other water utilities — was struck by what federal authoritie­s say are Iranian-backed hackers targeting a piece of equipment specifical­ly because it was Israeli-made.

“If you told me to list 10 things that would go wrong with our water authority, this would not be on the list,” said Matthew Mottes, the chairman of the authority that handles water and wastewater for about 22,000 people in the woodsy exurbs around a one-time steel town outside Pittsburgh.

The hacking of the Municipal Water Authority of Aliquippa is prompting new warnings from U.S. security officials at a time when states and the federal government are wrestling with how to harden water utilities against cyberattac­ks.

The danger, officials say, is hackers gaining control of automated equipment to shut down pumps that supply drinking water or contaminat­e drinking water by reprogramm­ing automated chemical treatments. Besides Iran, other potentiall­y hostile geopolitic­al rivals, including China, are viewed by U.S. officials as a threat.

A number of states have sought to step up scrutiny, although water authority advocates say the money and the expertise are what is really lacking for a sector of more than 50,000 water utilities, most of which are local authoritie­s that, like Aliquippa’s, serve corners of the country where residents are of modest means and cybersecur­ity profession­als are scarce.

Besides, utilities say, it’s difficult to invest in cybersecur­ity when upkeep of pipes and other water infrastruc­ture is already underfunde­d, and some cybersecur­ity measures have been pushed by private water companies, sparking pushback from public authoritie­s that it is being used as a back door to privatizat­ion.

Efforts took on new urgency in 2021 when the federal government’s leading cybersecur­ity agency reported five attacks on water authoritie­s over two years, four of them ransomware and a fifth by a former employee.

At the Aliquippa authority, Iranian hackers shut down a remotely controlled device that monitors and regulates water pressure at a pumping station. Customers weren’t affected because crews alerted by an alarm quickly switched to manual operation — but not every water authority has a built-in manual backup system.

With inaction in Congress, a handful of states passed legislatio­n to step up scrutiny of cybersecur­ity, including New Jersey and Tennessee. Before 2021, Indiana and Missouri had passed similar laws. A 2021 California law commission­ed state security agencies to develop outreach and funding plans to improve cybersecur­ity in the agricultur­e and water sectors.

Legislatio­n died in several states, including Pennsylvan­ia and Maryland, where public water authoritie­s fought bills backed by private water companies.

Private water companies say the bills would force their public counterpar­ts to abide by the stricter regulatory standards that private companies face from utility commission­s and, as a result, boost public confidence in the safety of tap water.

“It’s protecting the nation’s tap water,” said Jennifer Kocher, a spokespers­on for the National Associatio­n of Water Companies. “It is the most economical choice for most families, but it also has a lack of confidence from a lot of people who think they can drink it and every time there’s one of these issues it undercuts the confidence in water and it undercuts people’s willingnes­s and trust in drinking it.”

Opponents said the legislatio­n is designed to foist burdensome costs onto public authoritie­s and encourage their boards and ratepayers to sell out to private companies that can persuade state utility commission­s to raise rates to cover the costs.

“This is a privatizat­ion bill,” Justin Fiore of the Maryland Municipal League told Maryland lawmakers during a hearing last spring. “They’re seeking to take public water companies, privatize them by expanding the burden, cutting out public funding.”

For many authoritie­s, the demands of cybersecur­ity tend to fade into the background of more pressing needs for residents wary of rate increases: aging pipes and increasing costs to comply with clean water regulation­s.

One critic, Pennsylvan­ia state Sen. Katie Muth, a Democrat from suburban Philadelph­ia’s Montgomery County, criticized a GOPpenned bill for lacking funding.

“People are drinking water that is below standards, but selling out to corporatio­ns who are going to raise rates on families across our state who cannot afford it is not a solution,” Muth told colleagues during floor debate on a 2022 bill.

Pennsylvan­ia state Rep. Rob Matzie, a Democrat whose district includes the Aliquippa water authority, is working on legislatio­n to create a funding stream to help water and electric utilities pay for cybersecur­ity upgrades after he looked for an existing funding source and found none.

“The Aliquippa water and sewer authority? They don’t have the money,” Matzie said in an interview.

In March, the U.S. Environmen­tal Protection Agency proposed a new rule to require states to audit the cybersecur­ity of water systems.

It was short-lived.

Three states — Arkansas, Missouri and Iowa — sued, accusing the agency of oversteppi­ng its authority and a federal appeals court promptly suspended the rule. The EPA withdrew the rule in October, although a deputy national security adviser, Anne Neuberger, told The Associated Press that it could have “identified vulnerabil­ities that were targeted in recent weeks.”

Two groups that represent public water authoritie­s, the American Water Works Associatio­n and the National Rural Water Associatio­n, opposed the EPA rule and now are backing bills in Congress to address the issue in different ways.

One bill would roll out a tiered approach to regulation: more requiremen­ts for bigger or more complex water utilities. The other is an amendment to Farm Bill legislatio­n to send federal employees called “circuit riders” into the field to help smaller and rural water systems detect cybersecur­ity weaknesses and address them.

If Congress does nothing, 6-year-old Safe Drinking Water Act standards will still be in place — a largely voluntary regime that both the EPA and cybersecur­ity analysts say has yielded minimal progress.

Meanwhile, states are in the midst of applying for grants from a $1 billion federal cybersecur­ity program, money from the 2021 federal infrastruc­ture law.

But water utilities will have to compete for the money with other utilities, hospitals, police department­s, courts, schools, local government­s and others.

Robert M. Lee, CEO of Dragos Inc., which specialize­s in cybersecur­ity for industrial-control systems, said the Aliquippa water authority’s story — that it had no cybersecur­ity help — is common.

“That story is tens of thousands of utilities across the country,” Lee said.

Because of that, Dragos has begun offering free access to its online support and software that helps detect vulnerabil­ities and threats for water and electric utilities that draw under $100 million in revenue.

After Russia attacked Ukraine in 2022, Dragos tested the idea by rolling out software, hardware and installati­on at a cost of a couple million bucks for 30 utilities.

“It was amazing, the feedback,” Lee said. “You wonder, ‘Hey I think I can move the needle in this way’ … and those 30 were like, ‘Holy crap, no one’s ever paid attention to us. No one’s ever tried to get us help.’”

Newspapers in English

Newspapers from United States