States and Congress grapple with water utilities’ cybersecurity amidst federal alerts

A cyberattack on a municipal water authority in Pennsylvania has raised concerns about the vulnerability of water utilities to hacking. The attack was attributed to Iranian-backed hackers who targeted a piece of Israeli-made equipment. Security officials warn that hackers gaining control of automated equipment could shut down pumps supplying drinking water or contaminate water by reprogramming automated chemical treatments. Several states have introduced legislation to address cybersecurity in water utilities, but water authority advocates argue that lacking funds and expertise are the main obstacles. The upkeep of water infrastructure is already underfunded, and some cybersecurity measures have been seen as attempts to privatize the sector. Efforts to improve cybersecurity in the water sector have taken on new urgency after five attacks on water authorities were reported by the federal government’s leading cybersecurity agency over two years. Some states have passed legislation to enhance scrutiny of cybersecurity, while others have opposed bills backed by private water companies. The American Water Works Association and the National Rural Water Association, representing public water authorities, support bills in Congress to address cybersecurity concerns. The groups propose a tiered approach to regulation, with more requirements for larger or more complex utilities, and the deployment of federal employees called “circuit riders” to help smaller water systems detect and address cybersecurity weaknesses. If Congress does not act, the existing Safe Drinking Water Act standards, which are largely voluntary, will remain in place. Water utilities can apply for grants from a $1 billion federal cybersecurity program, but they will face competition from other utilities and organizations. Cybersecurity firm Dragos Inc. has started offering free access to its online support and software to help water and electric utilities detect vulnerabilities and threats. CEO Robert M. Lee said that most utilities lack cybersecurity help and that the feedback from those who received assistance has been positive.