In late November, an Iranian-backed hacking group attacked Israeli-made digital controls commonly used in the water and wastewater industries in the U.S., affecting multiple organizations across several states.
That same month, the North Texas Municipal Water District, which supplies water to more than 2 million customers, was the victim of a ransomware attack. And earlier this year, hackers linked to China’s People’s Liberation Army attacked a water utility in Hawaii, according to the Washington Post.
While none of the intrusions affected water quality or supply or disabled any critical function, they’ve all taken place while the U.S. government has been haggling with municipal water associations and policymakers over how best to protect one of the nation’s most critical resources from cyberattacks.
The Iranian-linked hacks were a wake-up call that has jolted officials to redouble efforts to agree on at least minimum standards of security. But little actual progress has been made so far.
The recent events “highlight that our national cybersecurity isn’t where it needs to be,” said Anne Neuberger, deputy national security adviser, speaking to reporters earlier this month. The White House is now working closely with Congress to beef up the EPA’s authority to ensure minimum cybersecurity practices across the water sector, she said.
The next time could be much worse. The water system is an especially vulnerable part of U.S. infrastructure, fraught with weak controls, insufficient funding, staffing shortages and a lack of trust between the industry and government agencies. In October, the Environmental Protection Agency was forced to rescind plans introduced earlier this year that required states to evaluate the adequacy of cybersecurity protections at water facilities in order to help bolster defenses and mitigate exposure. Republican lawmakers in three states called the oversight illegal, accusing the EPA of overreach.
Less than two months later, a group that goes by the name CyberAv3ngers, and that the U.S. Cybersecurity & Infrastructure Security Agency said is affiliated with the Islamic Revolutionary Guard Corps, targeted digital control devices used in the water and wastewater industries made by Israeli company Unitronics. The hackers, who sought out devices connected to the internet with default passwords, disabled the digital display screens used to adjust water pressure and left a message: “You have been hacked, down with Israel.”
The U.S. government has pushed to help secure all public utility infrastructure from the rising threat of digital incursions, and earlier this year rolled out a cybersecurity plan to bolster protections on critical sectors and make software companies legally liable when their products don’t meet basic standards.
But the water sector has been more problematic than others because it comprises about 150,000 active public water systems across the country. Of those, 97% serve communities of 10,000 people or fewer and have minimal staffing. Many of them depend on tiny snippets of state or local government funding, leaving little to invest in technical expertise.
The Municipal Water Authority of Aliquippa, which serves about 15,000 people around Pittsburgh, was at the center of the Iranian-linked group hack. Cybersecurity experts had expected an uptick in activity by state-backed Iranian and pro-Palestinian hackers since the Oct. 7 attack on Israel by Hamas.
The cyberattacks extended beyond the small Western Pennsylvanian water authority and left vulnerable other industries that use the same equipment, which can be found in energy, food and beverage manufacturing, and healthcare, according to CISA. At least 10 water-related operations were affected by the CyberAv3ngers attack, a person familiar with the matter said.
That’s how a small craft brewery in New Jersey found itself an unlikely victim of the Islamic Revolutionary Guard Corps’ global hacking operations. The family-run Frye Brewing Company said it was forced to stop brewing ales and lagers for a few days as a result of the CyberAv3ngers hack, highlighting the broader risks facing the fragmented U.S. water system.
“We are a small mom-and-pop operation (literally) that was inconvenienced by a war being fought a world away,” Mike Frye, who runs the brewery with his wife Colleen, said in an email. “We were lax in our security and it cost us a few days of headache,” Frye said.
White House officials, led by Neuberger, and EPA staffers met earlier this month with water association representatives to discuss how best to shore up defenses for the future, according to two people familiar with the meeting who asked not to be identified discussing private conversations.
The water associations agreed to spread the message to the utility operators on how to meet basic cybersecurity standards, the people said. But conversations about requiring mandatory cybersecurity checks in routine inspections or other technical details, including potentially any federal or state aid, were more cursory and didn’t result in any action, according to one of the people.
“The thing we’ve worried about the most since 9/11 was someone putting a pathogen or some kind of chemical biological agent in a water supply,” said Mark Montgomery, a retired Rear Admiral and senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies.
Montgomery and others have written recommendations for legislation that would include providing technical assistance to rural water operators and a risk-and-resilience program for larger systems. But those measures, set to be included in a Department of Agriculture bill, have idled as lawmakers spar over other issues. Meanwhile, the Biden administration hopes states can use existing resources to improve the cybersecurity of vulnerable water systems - by tapping funds in the Bipartisan Infrastructure Law, according to a National Security Council spokesperson.
The discussions between the EPA and the water associations have been steeped in acrimony for years, with the agency pushing forward a proposal in March that the water industry repeatedly said was unworkable and had no legal basis, according to people familiar with the discussions.
Meetings were described by people familiar with the discussions as “tense,” and association members said they felt “talked at” rather than heard in some sessions. The EPA said it had “engaged extensively” with stakeholders “to build a shared awareness, understand the issues, and address concerns.”
Since the EPA pulled its proposed plan in October, there had been little communication between the water associations and the federal agency, said Alan Roberson, executive director of the Association of State Drinking Water Administrators. The EPA said in a statement that it meets monthly with “relevant members of the water sector which regularly includes representatives from various national water associations.” Its most recent call was in early November.
“We’ve got to make more progress,” Neuberger said last week on the sidelines of a security conference in Washington. “I think all avenues are on the table.”
Visit bloomberg.com
©2023 Bloomberg L.P.