Late last month, the Environmental Protection Agency issued an urgent alert to water systems across the country after the agency found that about 70% of the providers it inspected since September 2023 violated federal standards enacted to prevent hacks or breaches.
The EPA said that it had taken enforcement actions against more than 100 water service providers since 2020, the first deadline for the utility systems to conduct a risk assessment and come up with an emergency response.
Local water systems found to have not complied with the requirements included Somerset Township Municipal Authority in November 2023 and Zelienople Borough in July 2022, according to EPA data analyzed by the Post-Gazette.
Just across Pennsylvania state lines, at least six Eastern Ohio water service providers were found to be noncompliant — including in Wellsville and Columbiana City — while another five were identified in West Virginia, including Cheat View Public Service Water Authority in Morgantown.
"EPA inspectors have identified alarming cybersecurity vulnerabilities at drinking water systems across the country and taken actions to address them," the agency wrote in the May 20 alert.
Some of the vulnerabilities to water systems found by inspectors were blatant — for example, providers who used single logins for all staff members, failed to cut off access to former employees, and failed to change default passwords.
However, if hacked, the impacts on local systems could be severe, including altering the levels of chemicals in water to dangerous levels or disrupting the treatment and distribution of water, the agency said.
Late last year, a small water treatment facility outside Pittsburgh was hacked by a pro-Iran cyber group that targeted the Municipal Water Authority of Aliquippa in Beaver County— more specifically, a device it used to regulate liquid pressure, temperature and flow.
The hacker group which claimed responsibility for the attack, the Cyber Av3ngers, appeared to have targeted the device, made by Israel-based Unitronics, that was potentially using a weak default password.
The cyberattack ultimately had little effect because the water supplier was able to switch to manual controls almost immediately.
Michael Mattarock, executive director of national security research at Carnegie Mellon University, said while the Aliquippa hack did not severely inconvenience customers, it represented the potential for more serious attacks.
"In the case of Aliquippa, there were manual overrides that were able to take the system offline and continue to function," Mr. Mattarock said. "The real concern is not necessarily disruption...there's implications of really messing up the the chemical composition of that water."
Mr. Mattarock said, after the Aliquippa attack, CMU reached out to the Pittsburgh Water & Sewer Authority and the Hampton Shaler Water Authority to take a look at their cybersecurity measures.
What CMU researchers found was not very promising.
"There was definitely a lot to be sought after — we're talking pretty bare bones," he said. "I think if it wasn't for the local Aliquippa attack, I don't know that this would have even surfaced as a concern or priority."
The Municipal Water Authority of Aliquippa and the Hampton Shaler Water Authority did not respond to requests for comment.
Mr. Mattarock said many of the fixes, including removing default across-the-board login credentials and monitoring for suspicious users trying to access the system, are pretty basic.
"It doesn't take any kind of CMU Ph.D. expertise there," he said. "Those are some of the most basic vulnerabilities that exist right now that it's really a head scratcher why we can't harden those systems in those ways."
In the wake of the cyberattacks, PWSA said that it has reviewed guidance from the EPA and confirmed that it is following the agency's best practices.
PWSA also has been completing regular assessments to ensure its technology is secured and vulnerabilities are quickly identified, while also holding an ongoing cybersecurity education program for employees.
"Cybersecurity threats are constantly changing so it's important for our employees to understand new threats and how their daily actions can help to protect PWSA," authority spokeswoman Rebecca Zito said in a statement.
The utility company also has a dedicated cybersecurity team continuously evaluating their systems, Ms. Zito said.
However, it has not stopped people from outside the company from trying to carry out attacks on the system.
"Even with the utmost vigilance, we are constantly defending against things like phishing attacks," Ms. Zito said. "Our practice of ongoing monitoring, conducting regular assessments, and our established employee education program all help us to identify vulnerabilities and ensure that our technology infrastructure is secure."
Phishing attacks are attempts to use fraudulent emails, texts or phone calls to trick people or organizations into sharing sensitive data, downloading harmful malware, or exposing themselves to cybercrime in other ways.
Pennsylvania American Water, another one of the region's largest providers, has also been focusing on bolstering cybersecurity.
Gary Lobaugh, a spokesperson for American Water, which operates in 1,700 communities in 14 states, said the company was the first U.S. water company to earn the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act designation, one of the highest cyber security accreditations offered by Department of Homeland Security.
Like PWSA, the company also has a dedicated cybersecurity team, Mr. Lobaugh said.
"American Water recognizes the essentiality of our water and wastewater services and acknowledges the severity of cyber threats," he said. "Our company has always endorsed a 'safety and security approach' to water and wastewater operations, and this persistence extends to cyber threats as well."
Meanwhile, Mr. Mattarock said the threats these companies face could come from the usual culprits, from somewhere in Russia, China, or the Middle East, but they could also come from essentially anyone with access to the internet and a bit of know-how.
"If there's a curiosity from a junior or novice kind of hacker that just wants to see if they can get into a water system, that's another threat," he said. "That could be a high schooler. It could be a college student just trying to demonstrate that they can do this."
© 2024 the Pittsburgh Post-Gazette. Distributed by Tribune Content Agency, LLC.
