States and Congress wrestle with cybersecurity after Iran attacks small town water utilities

This photo shows the screen of a Unitronics device on Nov. 25 that was hacked in Aliquippa, Pa. (Municipal Water Authority of Aliquippa/via AP)

HARRISBURG, Pa. — The tiny Aliquippa water authority in western Pennsylvania was perhaps the least-suspecting victim of an international cyberattack.

It had never had outside help in protecting its systems from a cyberattack, either at its existing plant that dates to the 1930s or the new $18.5 million one it is building.


Then it — along with several other water utilities — was struck by what federal authorities say are Iranian-backed hackers targeting a piece of equipment specifically because it was Israeli-made.

“If you told me to list 10 things that would go wrong with our water authority, this would not be on the list,” said Matthew Mottes, the chairman of the authority that handles water and wastewater for about 22,000 people in the woodsy exurbs around a one-time steel town outside Pittsburgh.

The hacking of the Municipal Water Authority of Aliquippa is prompting new warnings from U.S. security officials at a time when states and the federal government are wrestling with how to harden water utilities against cyberattacks.

The danger, officials say, is hackers gaining control of automated equipment to shut down pumps that supply drinking water or contaminate drinking water by reprogramming automated chemical treatments. Besides Iran, other potentially hostile geopolitical rivals, including China, are viewed by U.S. officials as a threat.

A number of states have sought to step up scrutiny, although water authority advocates say the money and the expertise are what is really lacking for a sector of more than 50,000 water utilities, most of which are local authorities that, like Aliquippa’s, serve corners of the country where residents are of modest means and cybersecurity professionals are scarce.

Besides, utilities say, it’s difficult to invest in cybersecurity when upkeep of pipes and other water infrastructure is already underfunded, and some cybersecurity measures have been pushed by private water companies, sparking pushback from public authorities that it is being used as a back door to privatization.

Efforts took on new urgency in 2021 when the federal government’s leading cybersecurity agency reported five attacks on water authorities over two years, four of them ransomware and a fifth by a former employee.

At the Aliquippa authority, Iranian hackers shut down a remotely controlled device that monitors and regulates water pressure at a pumping station. Customers weren’t affected because crews alerted by an alarm quickly switched to manual operation — but not every water authority has a built-in manual backup system.

With inaction in Congress, a handful of states passed legislation to step up scrutiny of cybersecurity, including New Jersey and Tennessee. Before 2021, Indiana and Missouri had passed similar laws. A 2021 California law commissioned state security agencies to develop outreach and funding plans to improve cybersecurity in the agriculture and water sectors.

Legislation died in several states, including Pennsylvania and Maryland, where public water authorities fought bills backed by private water companies to force them to upgrade various aspects of their infrastructure, including pipes and cybersecurity measures.

Private water companies say the bills would force their public counterparts to abide by the stricter regulatory standards that private companies face from utility commissions and, as a result, boost public confidence in the safety of tap water.

“It’s protecting the nation’s tap water,” said Jennifer Kocher, a spokesperson for the National Association of Water Companies. “It is the most economical choice for most families, but it also has a lack of confidence from a lot of people who think they can drink it and every time there’s one of these issues it undercuts the confidence in water and it undercuts people’s willingness and trust in drinking it.”

Opponents said the legislation is designed to foist burdensome costs onto public authorities and encourage their boards and ratepayers to sell out to private companies that can persuade state utility commissions to raise rates to cover the costs.

“This is a privatization bill,” Justin Fiore of the Maryland Municipal League told Maryland lawmakers during a hearing last spring. “They’re seeking to take public water companies, privatize them by expanding the burden, cutting out public funding.”

For many authorities, the demands of cybersecurity tend to fade into the background of more pressing needs for residents wary of rate increases: aging pipes and increasing costs to comply with clean water regulations.

In March, the U.S. Environmental Protection Agency proposed a new rule to require states to audit the cybersecurity of water systems.

It was short-lived.

Three states — Arkansas, Missouri and Iowa — sued, accusing the agency of overstepping its authority and a federal appeals court promptly suspended the rule. The EPA withdrew the rule in October, although a deputy national security adviser, Anne Neuberger, told The Associated Press that it could have “identified vulnerabilities that were targeted in recent weeks.”

Leave a Reply

Your email address will not be published. Required fields are marked *


By participating in online discussions you acknowledge that you have agreed to the Star-Advertiser's TERMS OF SERVICE. An insightful discussion of ideas and viewpoints is encouraged, but comments must be civil and in good taste, with no personal attacks. If your comments are inappropriate, you may be banned from posting. To report comments that you believe do not follow our guidelines, email