Water authority cyberattack sets scene for emerging risks

A thwarted cyberattack on a Pennsylvania water authority in November that was attributed to an Iran-aligned cyber group unit should serve as a warning to utilities throughout the United States, cyber experts say.  

More attacks, which could lead to catastrophic incidents, are possible, so water districts should ensure they have at least basic cybersecurity measures in place to protect their systems, they say. 

The resources of the more than 148,000 water systems in the U.S. vary dramatically, but even simple measures can go a long way in providing protection. 

Government resources, including the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency, and the Department of Commerce’s National Institute of Standards & Technology can provide valuable help, experts say.  

In the Pennsylvania attack, an Iran-aligned cyber group, CyberAv3ngers, seized partial control of a booster station operated by the Municipal Water Authority of Aliquippa that used operational technology in the form of programmable logic controllers made by Unitronics, an Israeli company.  

The hackers issued a warning against using “made in Israel” equipment during the attack, which was foiled and did not affect operations.

Other organizations in the United States and elsewhere were also reportedly attacked by the same group.  

“What you have here is a cyberattack against our infrastructure on U.S. soil” that is backed by the Iranian Revolutionary Guard, said Joseph R. Weiss, managing partner at Applied Control Solutions LLC in Cupertino, California. 

“I can’t say I’m all that surprised” by the attack, said Joey Sylvester, Baton Rouge, Louisiana-based managing director of cyber risk management at Arthur J. Gallagher & Co. 

“It’s probably a matter of time” before there is somebody with the resources, technological know-how and motivation to do something bigger and broader, he said. 

“It’s a big deal,” said William Altman, principal cybersecurity consultant with San Francisco-based CyberCube Analytics Inc. 

“A cyberattack that impacts critical infrastructure, and specifically the operational technology structure, is very serious, as it could potentially bridge the divide between the digital and physical world,” and an attack on water facilities “rises to the highest level of severity and concern,” Mr. Altman said.  

The Pennsylvania authority did not reset the default password for logging into its system and had used the default, out-of-the-box password instead, experts say.  

Something as simple as changing the password might have safeguarded against the incident, said Joe Quinn, Chicago-based cyber claims leader at Willis Towers Watson PLC. 

Jason Rebholz, McLean, Virginia-based chief information security officer at Corvus Insurance Holdings Inc., said that while it is already standard practice not to use default passwords, a “different mindset” is needed when the security lapse involves industry controls in an environment, such as water, that affects the “physical world.” 

Help is available, experts say.

“The threat is constantly evolving, but there are certainly a number of things … that we encourage utilities to implement,” including guidance based on a NIST framework, said Kevin Morley, Washington-based manager, federal relations, for the American Water Works Association, an industry group. 

It is a matter of “basic cyber hygiene,” Mr. Altman said. 

Steps recommended by federal agencies include implementing multifactor authentication, using strong, unique passwords, and checking programmable logic controllers for default passwords.  

Tom Finan, Washington-based senior vice president and a cyber insurance broker with WTW, said questions to address include whether redundancies are built into a system; if fired employees’ access capabilities are disabled; and whether employees are being effectively trained to not click on phishing links.  

Well-funded water districts have expertise and protections are top of mind, “but that isn’t necessarily the case across all water districts,” said Travis Wong, San Diego-based vice president of customer engagement at Resilience Cyber Insurance Solutions LLC. 

Jennifer Lyn Walker, director of infrastructure cyber defense at the Washington-based Water Information Sharing & Analysis Center, said she encourages larger utilities to connect with neighboring, smaller ones and “take them under their wing.” 

Mr. Finan, a former DHS official, said CISA and other parts of the department are “really trying to get out unclassified information to public entities as quickly as possible,” and typically provides practical advice.  

“There are resources from CISA that can be very valuable to help the utility be able to monitor their network from the outside” and address issues such as a publicly facing port, Mr. Morley said. “That’s a great service that CISA provides multiple sectors.”