It had never had outside help in protecting its systems from a cyberattack, either at its existing plant that dates to the 1930s or the new $18.5 million one it is building.
Pennsylvania’s two senators joined Congressman Chris Deluzio in sending a letter to Attorney General Merrick Garland urging “the Justice Department to conduct a full investigation and hold those responsible accountable.”
The hacking of the Municipal Water Authority of Aliquippa is prompting new warnings from U.S. security officials at a time when states and the federal government are wrestling with how to harden water utilities against cyberattacks.
The danger, officials say, is hackers gaining control of automated equipment to shut down pumps that supply drinking water or contaminate drinking water by reprogramming automated chemical treatments. Besides Iran, other potentially hostile geopolitical rivals, including China, are viewed by U.S. officials as a threat.
With inaction in Congress, a handful of states passed legislation to step up scrutiny of cybersecurity, including New Jersey and Tennessee. Before 2021, Indiana and Missouri had passed similar laws. A 2021 California law commissioned state security agencies to develop outreach and funding plans to improve cybersecurity in the agriculture and water sectors.
Private water companies say the bills would force their public counterparts to abide by the stricter regulatory standards that private companies face from utility commissions and, as a result, boost public confidence in the safety of tap water.
“It’s protecting the nation’s tap water,” said Jennifer Kocher, a spokesperson for the National Association of Water Companies. “It is the most economical choice for most families, but it also has a lack of confidence from a lot of people who think they can drink it and every time there’s one of these issues it undercuts the confidence in water and it undercuts people’s willingness and trust in drinking it.”
“This is a privatization bill,” Justin Fiore of the Maryland Municipal League told Maryland lawmakers during a hearing last spring. “They’re seeking to take public water companies, privatize them by expanding the burden, cutting out public funding.”
One critic, Pennsylvania state Sen. Katie Muth, a Democrat from suburban Philadelphia’s Montgomery County, criticized a GOP-penned bill for lacking funding.
“People are drinking water that is below standards, but selling out to corporations who are going to raise rates on families across our state who cannot afford it is not a solution,” Muth told colleagues during floor debate on a 2022 bill.
In March, the U.S. Environmental Protection Agency proposed a new rule to require states to audit the cybersecurity of water systems.
It was short-lived.
One bill would roll out a tiered approach to regulation: more requirements for bigger or more complex water utilities. The other is an amendment to Farm Bill legislation to send federal employees called “circuit riders” into the field to help smaller and rural water systems detect cybersecurity weaknesses and address them.
If Congress does nothing, 6-year-old Safe Drinking Water Act standards will still be in place — a largely voluntary regime that both the EPA and cybersecurity analysts say has yielded minimal progress.
Meanwhile, states are in the midst of applying for grants from a $1 billion federal cybersecurity program, money from the 2021 federal infrastructure law.
But water utilities will have to compete for the money with other utilities, hospitals, police departments, courts, schools, local governments and others.
“That story is tens of thousands of utilities across the country,” Lee said.
Because of that, Dragos has begun offering free access to its online support and software that helps detect vulnerabilities and threats for water and electric utilities that draw under $100 million in revenue.
After Russia attacked Ukraine in 2022, Dragos tested the idea by rolling out software, hardware and installation at a cost of a couple million bucks for 30 utilities.
“It was amazing, the feedback,” Lee said. “You wonder, ‘Hey I think I can move the needle in this way’ … and those 30 were like, ‘Holy crap, no one’s ever paid attention to us. No one’s ever tried to get us help.'”