In a shocking turn of events, the Municipal Water Authority of Aliquippa, a small water utility serving around 22,000 people in western Pennsylvania, became an unsuspecting victim of an international cyberattack. The attack, believed to be orchestrated by Iranian-backed hackers, targeted the water authority's equipment, specifically due to its Israeli origins.

The incident has raised concerns among U.S. security officials about the vulnerability of water utilities to cyberattacks and the urgent need to strengthen their cybersecurity measures. The potential threat is not limited to Iran, as other geopolitical rivals, including China, are also viewed as potential attackers.

The Aliquippa water authority had never sought outside assistance to protect its systems against cyber threats, whether at its existing plant built in the 1930s or its new $18.5 million facility currently under construction. The chairman of the authority, Matthew Mottes, expressed his disbelief, saying, "If you told me to list 10 things that would go wrong with our water authority, this would not be on the list."

The consequences of such attacks are grave, with hackers potentially gaining control of automated water equipment to disrupt the water supply or even contaminate it by manipulating chemical treatments. While several states have taken steps to enhance scrutiny of cybersecurity in water utilities, experts argue that the lack of funding and expertise hinders progress in this regard.

The Municipal Water Authority of Aliquippa was fortunate to have a manual backup system that allowed them to quickly respond to the attack and prevent any disruptions to their customers. However, not all water authorities have such safeguards in place.

Recognizing the urgency, some states, including New Jersey and Tennessee, have passed legislation to address cybersecurity concerns. In California, a law has been enacted to improve cybersecurity in the agriculture and water sectors. However, similar bills have faced challenges in states like Pennsylvania and Maryland, where public water authorities oppose measures supported by private water companies, fearing privatization.

While water utilities grapple with the need to invest in cybersecurity, they also face the dilemma of underfunded infrastructure and compliance with clean water regulations. Aging pipes and increasing costs already strain these authorities, making cybersecurity a lower priority for residents hesitant about potential rate increases.

In response to the rising threat of cyberattacks, Pennsylvania State Representative Rob Matzie is working on legislation to establish a dedicated funding stream for water and electric utilities to upgrade their cybersecurity measures. However, the lack of an existing funding source poses a significant challenge.

Efforts at the federal level have seen mixed outcomes, with the U.S. Environmental Protection Agency proposing a new rule to audit the cybersecurity of water systems. However, the rule was quickly suspended, and ultimately withdrawn, after legal challenges.

To address the issue, two groups representing public water authorities, the American Water Works Association and the National Rural Water Association, are supporting different bills in Congress. One proposes a tiered regulatory approach based on the size and complexity of utilities, while the other suggests sending federal employees to assist smaller and rural systems in detecting and addressing cybersecurity vulnerabilities.

Unless Congress takes action, the Safe Drinking Water Act standards, which are currently voluntary, will remain in place. This has prompted water utilities to compete for grants from a $1 billion federal cybersecurity program established under the 2021 infrastructure law, alongside other entities such as hospitals, police departments, and local governments.

As the need for cybersecurity in water utilities becomes increasingly apparent, cybersecurity firms like Dragos Inc. are stepping in to offer support. Dragos is now providing free access to its online support and software for water and electric utilities with revenue below $100 million, aiming to help them detect and mitigate vulnerabilities and threats.

The cyberattack on the Aliquippa water authority serves as a wake-up call for the nation to address cybersecurity vulnerabilities in critical infrastructure. With the threat landscape evolving and the potential for devastating consequences, the need for robust cybersecurity measures in water utilities has become more pressing than ever before.