PA officials seek investigation as adversaries target water systems

In a Nov. 28 letter to the Department of Justice, three government officials from Pennsylvania called for a federal investigation into a cyberattack on the Municipal Water Authority of Aliquippa, a city located in the western part of the state, near Pittsburgh.

The trio—Sen. John Fetterman, Sen. Bob Casey, and Rep. Chris Deluzio—expressed concern over an emerging bull’s-eye for cyberattackers around the world: utilities.

“We know that nation-state adversaries are targeting the weakest link in America’s critical infrastructure. We must ensure that our state and local governments, along with private companies, have cyber-defenses strong enough to fend off attacks from sophisticated actors,” the joint letter read.

The attack on the water-system equipment occurred on Nov. 24, the note said.

CISA says. The Cybersecurity and Infrastructure Security Agency (CISA) recommended important cyber-defenses the same day:

• Change default passwords on programmable logic controllers (PLC). (“Ensure the Unitronics PLC default password ‘1111’ is not in use,” its Nov. 28 advisory read.)
• Other recommendations included using multi-factor authentication for all remote access, disconnecting the PLC from the open internet, and creating an IP “allow list.”

Although CISA did not disclose specific names and facilities, the agency said it was investigating “active exploitation of Unitronics programmable logic controllers (PLCs) used in the Water and Wastewater Systems (WWS) Sector.”

“The cyber threat actors likely accessed the affected device—a Unitronics Vision Series PLC with a Human Machine Interface (HMI)—by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet,” the CISA advisory continued. A joint statement from multiple agencies on December 1 warned of “continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat (APT) cyber actors.”

In Pennsylvania…The hackers targeted a small substation in Racoon Township, a report from Pittsburgh’s WTAE said, shutting down a device used to automatically maintain water levels:

The threat actors left a message claiming to be the Cyber Av3ngers, an Iran-aligned group.

The message on the control screen: the system “had been hacked by legal right from the Cyber Avengers, Down with Israel," Matthew Mottes, Aliquippa Water Authority chairman, told WFMZ in Pennsylvania.

What’s the worst that could happen? In March, the Environmental Protection Agency announced a mandate that water-system audits include a cybersecurity assessment—a rule the EPA ultimately reversed in October, citing litigation; the agency advised orgs to conduct voluntary reviews.

A worst-case water scenario: a hostile foreign, state-backed attacker targeting infrastructure during wartime, according to Ashley Johnson, senior policy analyst for the Information Technology & Innovation Foundation, a DC-based think tank, who spoke with IT Brew in October.

“Foreign states and foreign state-backed attackers are, most of the time, going to have the most sophisticated and best available resources to attack you…So it means that you need to have very strong cybersecurity, because these are the toughest attackers you could possibly go up against,” Johnson said.