Two recent cyberattacks on water systems highlight vulnerability of critical infrastructure

Two recent hacks on water systems by cyber gangs that sympathize with foreign, hostile governments show the ongoing vulnerability of critical infrastructure.

The Municipal Water Authority of Aliquippa in Pennsylvania was attacked on the Friday night after Thanksgiving. The hackers breached the system that it uses to manage water pressure and left a message on the affected device that equipment made in Israel is “a legal target” given the country’s ongoing war with Hamas.

The utility’s general manager, Robert Bible, said it turned off the impacted equipment and operated one of its water pump stations in manual mode. Bible said the authority, which has about 15,000 customers, would replace the affected equipment to be safe.

In recent weeks, there have been several other hacks on Israeli-made equipment in the U.S., prompting four federal agencies and the Israel National Cyber Directorate to issue a joint advisory warning of “malicious cyber activity” against certain devices by groups linked to Iran’s Revolutionary Guard Corps.

The joint advisory warned that several organizations across multiple states had been breached by Iran-linked hackers, who call themselves the Cyber Av3ngers and have been targeting Israeli-made Unitronics computer products. In a bid to mitigate future attacks, the joint advisory recommended changing default passwords or disconnecting certain control systems from the internet in the immediate term, then strengthening security through multifactor authentication, backups, patches and other means.

Cybersecurity has been a sore spot for water systems for many years. Similar to other critical infrastructure, the sector is fragmented and underfunded, so it’s less able to keep up with evolving threats. The Environmental Protection Agency had sought to bolster cyber rules but backed off the plan earlier this year.

U.S. Rep. Chris Deluzio of Pennsylvania joined U.S. Sens. Bob Casey and John Fetterman in a joint letter to U.S. Attorney General Merrick Garland calling for the Department of Justice to investigate the attack on the water authority.

“We know that nation-state adversaries are targeting the weakest link in America’s critical infrastructure,” the trio wrote. “We must ensure that our state and local governments, along with private companies, have cyber-defenses strong enough to fend off attacks from sophisticated actors.”

The Pennsylvania hack came just days after another municipal water system experienced a cybersecurity issue that impacted some of its business operations. The North Texas Municipal Water District, which serves more than 2 million people across 13 cities in the state, at first reported experiencing an interruption in its phone service earlier this month.

A spokesperson later told The Record that while the attack didn’t affect the district’s core water, wastewater and solid waste services, it did require the utility to restore its business network and phone system. The investigation is ongoing.

A cybercrime gang known as Daixin Team, which has already hit medical systems in the U.S., took responsibility for the attack. The group said it had stolen more than 33,000 pieces of data but did not specify what it had taken. The gang has previously claimed to have stolen people’s names, dates of birth, Social Security numbers and other personal identifiable information.

Observers say there are a few ways utilities and other critical infrastructure providers can get their cybersecurity up to snuff. 

One such strategy is whole-of-state, which encourages better intergovernmental collaboration and information sharing. Michael Bimonte, chief technology officer for state, local and education at security firm Armis, said the approach will be “increasingly emphasized to address the problem.” The reason, he said, is because “every segment of local government is in a much stronger position to defend against acts of cyberwarfare.”

Observers worry that many utilities have been slow to adopt the best practices suggested in the joint advisory, such as changing default passwords or disconnecting certain control systems from the internet. In a May hearing before a House Energy and Commerce subcommittee, David Travers, director of the EPA’s Water Infrastructure and Cyber Resilience Division, said the lack of adoption of even simple cyber measures like multifactor authentication is the “most significant cyber risk in this sector.”

“Consequently, many water and wastewater systems remain highly susceptible to cyberattacks that could disrupt their operations,” he said.