Cyberattacks on 2 water utilities raise questions about US preparedness
BY: MIRANDA WILLSON | 01/09/2024 01:44 PM EST
The Pennsylvania and Florida hacks came after a lawsuit spurred EPA’s retreat from mandating cybersecurity protections for the water sector.
GREENWIRE | Beset by rising costs and regulatory pressures, water utilities have been slow to embrace cybersecurity.
That hit home late last year when hackers with ties to Iran hit water providers in western Pennsylvania and South Florida.
The November attacks came a month after EPA withdrew cybersecurity requirements for the water sector after a lawsuit filed by utility trade groups and Republican state attorneys general.
Richard Mroz, senior adviser at the infrastructure security firm Protect Our Power, said the federal government could play a meaningful role in protecting water supplies from cybercriminals since few states have cybersecurity requirements for the water sector.
“Industry is going to have to work with EPA to have a meaningful cybersecurity regime in place,” said Mroz, a former New Jersey utility regulator. “There’s a need to have this across the country.”
The Aliquippa, Pennsylvania, and Vero Beach, Florida, hacks were perpetrated by CyberAv3ngers, which has targeted equipment made by an Israeli company. While the Iranian-backed group has attacked networks in the U.S. and demanded ransom payments since at least 2021, the recent incidents could be motivated by the Israel-Hamas war, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
John Sullivan, chair of the industry cybersecurity network WaterISAC and chief engineer at the Boston Water and Sewer Commission, said it’s possible that additional hacks of water and sewer facilities since the start of the war have gone unreported. That’s because utilities aren’t required to flag attacks for the federal government.
Hackers, he said, could also breach a utility’s computer system without workers detecting the attack.
“We don’t know if people have been poking around and looking inside all our utilities anyway,” Sullivan said. “Not everybody wants to tell people, ‘I just got attacked,’ so we suspect highly there may be more [attacks].”
While the Pennsylvania and Florida utilities said they recovered from the hacks without affecting their consumers, cyberattacks on water providers could be dire.
In addition to demanding ransom payments, Sullivan said, there is a risk that hackers could change the chemical treatment of a water system and poison consumers, or empty a community’s water tanks.
Cybersecurity is just one of many expensive issues confronting water utilities. In the coming months, EPA is expected to finalize a pair of rules to remove lead pipes and drastically reduce carcinogenic “forever chemicals” in drinking water systems, respectively. The rules could cost billions of dollars for water providers nationwide over the next decade, according to the American Water Works Association (AWWA), a trade group.
Unlike with lead and chemical cleanups, there is virtually no federal funding for water utilities dedicated to cybersecurity, said Kevin Morley, AWWA’s manager of federal relations. While electric utilities received some cybersecurity funding from the bipartisan infrastructure law in 2021, that wasn’t the case for water providers, he said.
“There are huge economic pressures coming down on the sector, and I’m not saying that cyber is not a priority,” Morley said. “It’s just like, if you want me to do all this stuff at the same time, you’ve got to help me out a little bit.”
EPA and CISA have disputed the notion that addressing cybersecurity is expensive, arguing that many incidents could be prevented if more utilities adopt simple cybersecurity measures, such as changing passwords.
Hackers were able to breach Vero Beach’s wastewater plant, for example, because of “an old security password” on a single piece of equipment, the city’s water and sewer director, Rob Bolton, said during a public meeting last month. Officials immediately notified the police when the incident occurred around 2 a.m. on Thanksgiving.
EPA issued a memorandum last March directing states to include cybersecurity checks during periodic audits of water equipment and systems. Agency officials said the mandate was necessary to address the growing threat of cyberattacks on water systems.
Backlash was swift. AWWA, the National Rural Water Association and Republican state attorneys general sued EPA, arguing that the new requirement was unlawful and unworkable. EPA withdrew the memorandum in October.
Among other concerns, critics said state officials who complete the water system audits, known as sanitary surveys, often do not have cybersecurity expertise.
“We understood what EPA was trying to accomplish, but we didn’t think the sanitary survey was the right mechanism to do it,” said Dan Hartnett, chief advocacy officer at the Association of Metropolitan Water Agencies.
Lack of ‘cybersecurity culture’
To address cybersecurity, AWWA has called on Congress to create an industry organization that would set standards for water providers and be funded by utility dues.
Such an organization would be similar to the North American Electric Reliability Corp., which sets grid security standards for the electric power sector, and would be overseen by EPA, Morley said. He expects legislation to create such an organization to be introduced this year.
For now, CISA and EPA have resources to promote cybersecurity, but Morley said the word has not spread among utilities.
CISA, for example, has a free service that will scan water and wastewater utilities’ cyber networks and detect vulnerabilities. If that service had been marketed more effectively, Morley said, recent attacks might have been prevented.
“There has not been a sustained level of communication,” he said.
CISA released a fact sheet in September explaining the benefits of the vulnerability scanning service. Enrollment in the service has more than doubled since the beginning of 2023, the agency said, with 31 additional water and wastewater utilities going through onboarding now.
CISA also issued an advisory in response to the November attacks that outlined best practices for utilities.
“All organizations are encouraged to voluntarily share information about cyber incidents or unusual cyber activity with CISA,” Eric Goldstein, the agency’s executive assistant director for cybersecurity, said in a statement to E&E News last week.
EPA, meanwhile, is focused on promoting various programs and trainings for water utilities since withdrawing the cybersecurity memorandum.
Among other tools, EPA offers a cybersecurity evaluation program, in which the agency will send someone to assess a water utility and “generate a risk mitigation plan,” David Travers, director of EPA’s Water Security Division, told reporters during a media briefing last month.
“The issue for the water sector is both a limited technical capacity within the sector to address cybersecurity and a lack of a cybersecurity culture,” Travers said.
Still, EPA continues to support the establishment of cybersecurity requirements for the sector, Travers said. But utility participation in voluntary programs has been limited.
The vast majority of the nation’s 50,000-plus water utilities, for example, are not members of WaterISAC. While the cost of joining the association could be a potential barrier, small utilities can join the association for $100 a year, said Sullivan, the WaterISAC chair.
“Cybersecurity is not a strength of most water utilities. It’s a foreign thing,” he added. “We’re good at water, we’re good at chemicals, and we’re good at pipes. We’re not so good at this magic thing called a computer.”
A 2018 law, America’s Water Infrastructure Act, includes the only existing cybersecurity requirement for drinking water providers, although it excludes very small utilities. The law mandates that community water systems serving more than 3,300 people conduct a cybersecurity risk assessment and devise an emergency response plan to address potential vulnerabilities. Yet there’s no way for EPA or another regulator to ensure water systems actually implement changes.
Water utilities have always been “behind the times” when it comes to the latest technologies, because they need to keep their rates low, said Mike McGill, president of WaterPIO, a communications firm that works with utilities and state water agencies.
But utilities know the threat isn’t going away, McGill said.
“It’s still well-known that this needs to be done, because we are vulnerable,” he said.