In a recent development, three members of Congress have called on the U.S. Justice Department to investigate a breach by foreign hackers targeting a water authority near Pittsburgh. This incident has raised concerns about the vulnerability of water and sewage treatment utilities nationwide.
U.S. Senators Bob Casey and John Fetterman, along with U.S. Representative Chris Deluzio, emphasized the importance of ensuring the safety of Americans’ drinking water and critical infrastructure. They expressed their concern that such attacks could be carried out by “nation-state adversaries and terrorist organizations.”
The compromised industrial control system, made in Israel, appears to have been deliberately targeted due to its connection to the country. A photo from the Municipal Water Authority of Aliquippa, Pennsylvania, revealed a message from the hackers stating, “Any piece of equipment that is manufactured in Israel’ is a Cyber Av3ngers legitimate target.”
The group behind this attack, Cyber Av3ngers, has been identified by leading cybersecurity companies as hacktivists aligned with Iran’s government. Experts believe that the recent escalation of hack attacks targeting Israeli infrastructure is a response to the Israel-Hamas conflict.
The breached device, manufactured by Israel-based Unitronics, is a programmable logic controller widely used in various industries, including water and sewage treatment utilities, electric companies, and oil and gas producers.
The cybersecurity breach has raised concerns about the lack of attention paid to cybersecurity in many water utilities. Experts argue that insufficient measures have been taken to protect critical infrastructure from cyber threats.
Following the attack, the water authority halted pumping temporarily in a remote station responsible for regulating water pressure in two nearby towns.
This incident occurred after the Environmental Protection Agency rescinded a rule requiring cybersecurity testing in regular federally mandated U.S. public water systems audits. The rollback was a response to a federal appeals court decision that favored Missouri, Arkansas, and Iowa, joined by a water utility trade group.
The Biden administration has been actively working to enhance the cybersecurity of critical infrastructure, which is predominantly privately owned. Regulations have been imposed on sectors such as electric utilities, gas pipelines, and nuclear facilities. However, experts argue that more needs to be done, as too many vital industries are still allowed to self-regulate.
The U.S. cybersecurity agency has warned that attackers likely exploited cybersecurity weaknesses, including poor password security and exposure to the internet, to breach the Unitronics device. Although the exact method of the hack in Aliquippa is unknown, the water authority chairman has expressed trust in the judgment of the federal agency.