A cyber attack by Iranian-backed hackers on Aliquippa, a Pennsylvania water utility company, has triggered new waves of security concerns.
Aliquippa Pennsylvania Water Utility Cyber Attack
In western Pennsylvania, the Aliquippa Water Authority was probably the least expected victim of an international cyberattack. It was unexpected that a small water authority in western Pennsylvania would be the target of an international cyberattack.
A remotely controlled device at Aliquippa’s water pumping station that monitors and regulates water pressure was shut down by Iranian hackers. An alarm alerted crews to switch to manual operation, but not all water authorities have built-in manual backup systems.
Iranian Hackers Role in Cyber Attack on the U.S. Water Utilities
Federal authorities report that Iranian-backed (IRGC-Affiliated) hackers targeted it, along with several other water utilities, because its equipment was Israeli-made. As a result of the hacking incident in late 2023, broader warnings are being issued. U.S. security officials are warning about a hack on a municipal water authority in a small Pennsylvania town.
According to CISA, “CyberAv3ngers (also known as CyberAveng3rs, Cyber Avengers) is an Iranian IRGC cyber persona that has claimed responsibility for numerous attacks against critical infrastructure organizations. The group claimed responsibility for cyberattacks in Israel beginning in 2020. CyberAv3ngers falsely claimed they compromised several critical infrastructure organizations in Israel. CyberAv3ngers also reportedly has connections to another IRGC-linked group known as Soldiers of Solomon. Most recently, CyberAv3ngers began targeting U.S.-based WWS facilities that operate Unitronics PLCs.”
According to officials, Hackers could reprogram automated chemical treatments to contaminate drinking water by shutting down water pumps or pumps supplying drinking water. Other potentially hostile geopolitical rivals, such as China, are also viewed as threats by U.S. officials.
As reported in November 2023, CISA has been responding to active exploits of Unitronics programmable logic controllers (PLCs) within the Water and Wastewater Systems (WWS) industry. At a United States water facility, cyber threat actors targeted PLCs associated with WWS facilities, including a Unitronics PLC. This caused the affected municipality’s water authority to immediately shut down the system and switch to manual operation – the municipality’s drinking water is not at risk.
Cybersecurity Situation of the U.S. Water Utilities
Meanwhile, water utilities in the United States have been more and more the targets of cyber attacks, and many states have since been seeking requirements that utilities update their cybersecurity, even though utilities say they are underfunded for the maintenance of the pipes and other infrastructure. In March 2023, the US Environmental Protection Agency proposed state-level cybersecurity audits of water systems. Sadly, it didn’t last long.
As Congress failed to act, a few states, such as New Jersey and Tennessee, passed legislation to increase cybersecurity scrutiny. Similar laws had been passed in Indiana and Missouri prior to 2021. According to a California law enacted in 2021, state security agencies were tasked with developing plans to improve agriculture and water cybersecurity.
Experts, however, believe that the legislation died in several states, such as Pennsylvania and Maryland, where public water authorities opposed private water company-backed bills.
A bill was criticized for lacking funding by Pennsylvania state Senator Katie Muth. Katie J. Muth is an American politician serving as a Democratic member of the Pennsylvania State Senate, representing the 44th District. Her district includes portions of northeastern Chester and southwestern Montgomery and Berks Counties. Muth serves in Senate Democratic Leadership as the Senate Democratic Policy Chair. “People are drinking water that is below standards, but selling out to corporations who are going to raise rates on families across our state who cannot afford it is not a solution,” Muth said.
In addition to water utilities, hospitals, police departments, courts, schools, and local governments are subjected to cyberattacks and ransomware attacks and lack the money and resources to meet their needs. The Bipartisan Infrastructure Deal states that the US government pledged to add 1.5 million jobs and provide clean drinking water to 10 Million households. According to the deal, “Currently, up to 10 million American households and 400,000 schools and child care centers lack safe drinking water. The Bipartisan Infrastructure Deal will invest $55 billion to expand access to clean drinking water for households, businesses, schools, and childcare centers all across the country. “
In opposition to the legislation, opponents claimed it is designed to place burdensome costs on public authorities and encourage them to sell out to private companies that can convince state utility commissions to raise rates.
Aliquippa Water Authority, which has an existing plant dating back to the 1930s and a new $18.5 million one in the works, never had outside help protecting its systems from cyberattacks.
According to Dragos Inc. CEO Robert M. Lee, the Aliquippa Water Authority had no cybersecurity help. In addition, he added, “That story affects tens of thousands of utilities across the country.”
Consequently, Dragos has initiated providing free access to its online services and software that helps detect vulnerabilities and threats to water utilities with revenue under $100 million. In 2022, after Russia attacked Ukraine, Dragos released the idea of software, hardware, and installation to 30 utilities for a couple of million dollars. Lee described the feedback as “amazing”.
There are some experts who say this should be a wake-up call and that local officials at water utilities are often the frontline cyber warriors.
For more cybersecurity news and updates, follow us on Cybersecurity – The SOC Labs.
Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The SOC Labs assumes no liability for the accuracy or consequences of using this information.
Join thousands of cybersecurity professionals who trust The SOC Labs Newsletter to keep them informed, prepared, and ahead of the curve.