Connecting Waterpeople

US tries to mitigate cyber attacks on water infrastructure

  • US tries to mitigate cyber attacks on water infrastructure

At the end of November, Aliquippa’s municipal water system, serving 6,615 customers, in western Pennsylvania, reported hackers had taken partial control of its water system.

The hackers claimed to be with a cyber guerilla group from Iran, reported Beaver Countain, and managed to shut down a pump on a supply line providing drinking water from the Aliquippa Municipal Water Authority’s treatment plant to Raccoon and Potter townships. The Water Authority was forced to switch to manual systems, according to WaterISAC, an industry information-sharing body.

Once the pump was shut down, a message that read “You have been hacked. Down with Israel. Every equipment ‘made in Israel’ is Cyber Av3ngers legal target,” Beaver Countain reported.

Since then, the hackers have targeted other drinking water and sewage systems across the United States, reports Bloomberg.

Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said to Bloomberg that a small number of water utilities have been compromised and has encouraged operators to reinforce their security systems. “We are aware of active targeting by these actors and exploitation.”

Goldstein added that so far, there has been no known impact on safe drinking water or operational systems.

The “CyberAv3ngers”, affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps, has taken responsibility for the various attacks. The group has targeted the technology that runs physical systems, called programmable logic controllers. These systems were produced by an Israeli company called Unitronics.

These controllers are integral to physical systems, widely used in water and wastewater facilities, as well as other industries such as energy, food and beverage manufacturing, and health care, according to information from US and Israeli government agencies. The US designated the IRGC as a terrorist organization in 2019.

In a joint cybersecurity advisory released recently by US agencies (including CISA, the FBI, and the National Security Agency) and the Israeli National Cyber Directorate, a warning was issued regarding the vulnerability of these controllers to cyber breaches. The advisory highlighted the risk associated with internet-connected controllers, often using default passwords provided by the manufacturer.

Since 2020, CyberAv3ngers has claimed responsibility for various attacks on critical infrastructure organizations.

Paul Lukoskie, director of threat intelligence services at cybersecurity firm Dragos, which is assisting Unitronics customers in protecting themselves, spoke to Bloomberg and emphasized the importance of keeping critical infrastructure systems off the public internet and behind a robust firewall.

Richard Caralli, Senior Cybersecurity Advisor at Axio, told Smart Water Magazine: “Municipal water is an under-appreciated attack target. It has several challenges: limited cybersecurity budget and staff, significant third-party dependencies, and one of the most direct vectors for causing wide-spread effects on life, safety, and health.”

To prevent these types of threats, Caralli added that small organizations should:

  • Conduct a cybersecurity assessment on their IT and OT operations, networks, and key assets to identify weaknesses and prioritize actions. Understanding where attackers might exploit weaknesses is paramount. 
  • Understand potentially inherited third-party risks, particularly since smaller organizations are typically highly dependent on third parties for systems and equipment updates, data storage, etc.
  • Have well-developed and exercised incident response plans, including recovery and restoration plans for key operations.

Subscribe to our newsletter

Topics of interest

The data provided will be treated by iAgua Conocimiento, SL for the purpose of sending emails with updated information and occasionally on products and / or services of interest. For this we need you to check the following box to grant your consent. Remember that at any time you can exercise your rights of access, rectification and elimination of this data. You can consult all the additional and detailed information about Data Protection.

Featured news

20/01/2025 · Infrastructure

Lower Molonglo Water Quality Control Centre (LMWQCC) drone footage 2017