Where’s the federal legislation for state water utility cybersecurity?
On Nov. 25, the Municipal Water Authority in Aliquippa, Pennsylvania, suffered a cyberattack on one of its water utility stations when an Iranian-backed hacking group disabled the monitor used to regulate water pressure throughout the system. Plant managers continued operating the system manually, so service was not disrupted, nor was the quality of the drinking water impacted.
In the aftermath of the cyberattack on Aliquippa and an increasing number of cyberattacks on local water utilities across the United States, state and local governments are feeling the pressure to shore up cyber protections for these critical infrastructure in the absence of federal assistance.
On Wednesday, several officials from water trade associations stressed the urgency of the situation to members of the House Energy and Commerce Committee, in a hearing focused on federal efforts to secure the thousands of water systems throughout the U.S. They urged lawmakers to pass legislation or grant federal funding so water facilities can receive the necessary cyber training, update their software, and better secure their systems.
According to the Environmental Protection Agency, there are 150,000 public water systems and 16,000 publicly owned wastewater systems in the U.S, which provide drinking water to about 90% of Americans.
However, public water facilities often have small operational budgets and limited access to cybersecurity resources. So without meaningful federal legislation or accessible funding efforts, these high-value targets remain vulnerable to cyber threats.
The ‘utility that you ingest’
One of the biggest threats cyberattacks pose to water utilities is contamination.
“Water is the only utility that you ingest. So if a bad actor gets into and wreaks havoc on a water system, the consequences could be very dire” Jennifer Kocher, vice president of communications and marketing for the National Water Companies Association, which represents regulated private water utilities, told StateScoop in a recent interview.
Public water systems use a series of water treatment methods to provide safe drinking water — adding chemical disinfectants such as chlorine, chloramine or chlorine dioxide — to kill any lingering bacteria, according to the Centers for Disease Control and Prevention.
In some instances, the valves that dispense and monitor the correct amount of chemicals to treat the water for public consumption are computer-operated and connected to the internet, so they can be accessed remotely by employees off-site. But without adequate cyber protections, it can also create an opportunity for bad actors to infiltrate the system.
“The products that are used to treat the water in certain doses are fine,” Kocher said. “But if someone gets into that system and sets it to a higher level, moves the decimal point, or does something like that, your water now becomes dangerous.”
In February 2021, an unknown hacker changed the levels of sodium hydroxide, also known as lye, at a water treatment plant in Oldsmar, Florida, to dangerous levels by remotely accessing a software interface used to control the plant’s levels of chemical disinfectants. An on-site employee noticed the alterations and immediately changed the chemical back to safe levels, as reported by CyberScoop in 2021.
A summary report of the Oldsmar attack showed the Cybersecurity and Infrastructure Security Agency found a security vulnerability similar to one that had been present in Aliquippa’s computer system, concluding “the cyber actors likely accessed the system by exploiting cybersecurity weaknesses, including poor password security, and an outdated operating system.”
But unlike in Oldsmar, the attackers are known. The Iranian-backed hacker group Cyber Av3ngers claimed responsibility for the Aliquippa attack, stating they targeted the small town for using Israeli-made components in the water system that serves thousands in the western region of Pennsylvania.
The politically motivated attack caught the attention of the Department of Homeland Security, which sent investigators to Aliquippa on Nov. 26, the day after the attack, and discovered a glaring oversight: The water authority was still using the software’s default ‘1111’ password at the time of the cyberattack, a detail first reported by The Tribune-Review.
On Nov. 30, CISA issued an alert for the Water and Wastewater Systems sector, concluding that the Aliquippa “[cyber]attackers likely accessed the affected device—a Unitronics Vision Series programmable logic controller with a Human Machine Interface–by exploiting cybersecurity weaknesses, including poor password security.” The agency said the hacking group hit 11 other facilities that also use the Israeli-made programmable logic controllers, or PLCs, including water and wastewater treatment centers across various states, through similar hacking techniques.
CISA also encouraged all water utility companies to change their devices’ default passwords and practice strong password management, a practice that many now consider basic cybersecurity hygiene.
“What we’re seeing is that many of these places that are the most vulnerable aren’t even doing the basics well,” Kocher said. “And why not? Because no one’s watching. And if no one’s watching and checking to see that the basics are being done, then how can we make sure that happens going forward?”
Kocher said most of the private water companies the trade association represents support federal and state cybersecurity legislation because the laws would force their public utility counterparts to abide by the stricter regulatory standards that private companies currently face from utility commissions, boosting public confidence in the safety of tap water.
“You should be very comfortable that when you turn on your tap that water is safe to drink,” Kocher said. “Once that confidence is shaken, it’s really hard to get people back to understanding that the water is safe to drink.”
In the hands of the states
As cyberattacks on public water utilities increase (the exact number is unknown, though part of the Cyber Incident Reporting for Critical Infrastructure Act, signed into law in 2022, aims to solve that issue), states and local governments are taking it upon themselves to pass cybersecurity legislation.
In 2022, New Jersey amended its 2017 Water Quality Accountability Act, which required water purveyors to develop cybersecurity programs. The law also required water utilities to establish cyber policies, plans and processes to identify and mitigate risks to public community water systems.
“I think you can go longer without energy than you can go without clean water,” said Michael Geraghty, New Jersey’s chief information security officer. “So [protecting] it is a priority for everybody and something that we’re all working together on, both on the physical and the cyber side.”
Geraghty said the law’s new amendments take into account the financial limitations of local governments more than the original state legislation. New Jersey also offers cybersecurity grants to state and local government entities, funded by the federal Infrastructure Investment and Jobs Act, which provides support for water infrastructure projects, such as cybersecurity upgrades.
“If you’re a gigantic enterprise, there’s a bazillion things you can do,” Geraghty said of large, privately owned water utilities. “That’s not always realistic for a small municipality.”
Public water utilities in New Jersey must take a cybersecurity program controls assessment test, answering 71 questions across 15 categories to show their incident response plans, policies and standards, as well as if they have a dedicated cybersecurity role, a position that is not always filled.
New Jersey water utilities also have to join the NJ Cybersecurity Communications and Integration Cell, an information-sharing and threat intelligence organization that offers advisories, bulletins, training opportunities, notifications and alerts to the sector.
Tools and training
Following the attack in Oldsmar, several states stepped up to address cybersecurity vulnerabilities at public water utilities. In 2021, Missouri passed a law to strengthen the cybersecurity and reporting measures that surround public water facilities and California commissioned state security agencies to develop outreach and funding plans to improve cybersecurity in the agriculture and water sectors.
Geraghty told StateScoop he compares the tailored cybersecurity resources the NJ state government provides small municipalities to tools in a garage, arguing that giving someone a random tool isn’t enough, you need to train them how to use it for it to be effective.
“Just because I have a compound miter saw [does] not make me a master carpenter. In fact, it’s going to provide me with more work that I’m never going to have time to get to,” Geraghty said. “Instead, what we’re trying to do is provide services for that monitoring detection response. So that they can continue to do what they’re doing, and we’ll provide them that help, rather than just buying a bunch of tools that they’ll never get around to using.”
Kocher, of the National Water Companies Association, said states that have passed water quality and accountability laws have been effective in advancing cybersecurity protections by providing a statewide standard, identifying what’s needed and how cybersecurity mandates are enforced, but that federal legislation is still urgently needed.
“We’ve been sounding the alarm for three years, saying that there needs to be more of a level playing field or a universal mandate for cybersecurity,” Kocher said. “But when it comes to something that requires spending or money or expertise that is outside of what is absolutely required, we just don’t always see that happening.”
Calling on Congress
Days after the November cyberattack in Aliquippa, Rep. Chris Deluzio of Pennsylvania and his state’s two senators, John Fetterman and Bob Casey, sent a letter to U.S. Attorney General Merrick Garland urging the Department of Justice to investigate the attack and hold the Iranian-backed group accountable.
“Any attack on our nation’s critical infrastructure is unacceptable,” the Pennsylvania lawmakers wrote in the letter. “If a hack like this can happen here in Western Pennsylvania, it can happen elsewhere in the United States.”
The Safe Drinking Water Act, passed in 1974, requires the Environmental Protection Agency every six years to review each national primary drinking water regulation, standards and treatment techniques that apply to all public water systems, and offer revisions if appropriate. However, the law, last amended in 1996, focuses on protecting public health by limiting the levels of contaminants in drinking water and doesn’t acknowledge modern cybersecurity threats.
In 2022, Pennsylvania failed to pass the Water Accountability Act, which would have required water authorities to develop a cybersecurity and inspection plan for valves that connect to hospitals or prevent wastewater backflows.
Opponents of the bill, including former Pennsylvania Gov. Tom Wolf, argued the law made it easier for private companies to acquire public water authorities, by mandating public utilities put a figure to the total cost of needed improvements, exposing funding deficits that could potentially be more easily filled through privatization, as reported by Spotlight PA.
At the federal level, the U.S Environmental Protection Agency, which sets cybersecurity standards and mandates for water utilities, ran into opposition as well.
Last March, the EPA issued a new rule requiring states to audit the cybersecurity of their water systems. Arkansas, Iowa and Missouri accused the agency of overstepping its authority and a federal appeals court ruling caused the EPA to rescind a policy that would have required U.S. public water systems to include cybersecurity testing in their regular, federally mandated audits.
States can access federal funding through various EPA grants and the $1 trillion bipartisan infrastructure law, however, a majority of those resources are dedicated to ensuring clean drinking water, not cybersecurity protections.
In addition, grant funding from CISA’s state and local cybersecurity program, which provides states $1 billion under the Infrastructure Investment and Jobs Act and awarded over a four-year period, are stretched thin between a variety of critical infrastructure, such as hospitals, police departments, courts, schools, local governments and other utilities, which also need cybersecurity improvements.
While cybersecurity threats to critical infrastructure are not unique to public water utilities, New Jersey CISO Michael Geraghty said if attacks are successful, the devastation would be unprecedented.
“It’s a common threat, but an uncommon impact,” Geraghty said. “I think everybody realizes just how critical the water sector is. And everybody has an interest in helping protect it.”