By Sean Lyngaas and Kristina Sgueglia, CNN
(CNN) — A Pennsylvania water utility is still dealing with the fallout of pro-Iran hackers breaching some of its industrial equipment four days ago, including having to operate one of its water pump stations in manual mode, the utility’s general manager told CNN on Tuesday.
“It’s a pain,” Robert J. Bible said. “Somebody’s got to wake up at 3 in the morning and go turn on or turn off those pump stations. It’s just a big inconvenience until we can get the (automated) system back up and running.”
The hackers breached the equipment – which the Pittsburgh-area utility uses to manage water pressure – on the Friday night after Thanksgiving, displaying a message on the monitor that Israel-made gear was fair game amid the ongoing Israeli-Hamas war and stunning Bible, general manager of the Municipal Water Authority of Aliquippa, and his colleagues.
Federal authorities are investigating the intrusion.
The Municipal Water Authority of Aliquippa (MWAA), which serves about 15,000 people in the Pittsburgh area, has decided to replace the Israeli-made equipment as a precaution, Bible told CNN.
“That was maybe the furthest thing from my mind,” he said of being caught up in the array of politically motivated cyberattacks that have accompanied the war in the Middle East. “Especially for a community. We only serve 15,000 people. You wouldn’t put two and two together.”
The incident has had no impact on water quality or service. Bible said the hack was limited to one machine at a station that boosts water pressure for two nearby townships, and that his colleagues quickly contained the incident.
But the small water utility now finds itself at the center of a federal and state investigation into how the pro-Iran hackers were able to gain access to the pump station. The MWAA has handed the FBI a digital copy of the hacked industrial equipment, and FBI and Department of Homeland Security officials have been in touch regularly since the hack, Bible said.
The incident has raised concerns in Washington. The White House National Security Council has in recent days had multiple meetings about the hack of the water utility and an unrelated cyberattack that has diverted ambulances in multiple states, a US official familiar with the meetings told CNN.
“We are closely engaged with sector and interagency partners to understand this evolving situation and provide any necessary support or guidance,” Eric Goldstein, a senior official at the Cybersecurity and Infrastructure Security Agency (CISA), said in a statement to CNN.
System has Israeli-owned components
Officials were notified Friday of a communication failure at a station that supplies boosted water pressure to two townships. When on-call personnel arrived, a computer screen that helps control pumps at the station was blank, said Bible.
After a battery was replaced, “a red screen appeared with the hack notice,” and it was immediately shut down while the system was switched to manual, Bible said.
No other facilities were impacted, and “at no point” was water service disrupted or water quality affected, said Bible. State and federal authorities were contacted Saturday, and the investigation is ongoing, he said.
“Federal officials are assisting the investigation, and I remain ready to help with federal agencies,” US Rep. Chris Deluzio said in a statement this week.
The machine that was hacked uses a system called Unitronics, which has Israeli-owned components, Aliquippa water authority Chairman Matthew Mottes told CNN affiliate KDKA.
The group has not claimed responsibility on X, formerly known as Twitter, but has claimed responsibility for hacking several water treatment stations in Israel since the October 7 attacks – claims CNN has not substantiated.
CNN is attempting to reach Israeli authorities for comment.
A wider concern across US water sector
The Aliquippa water authority is beefing up cybersecurity in the wake of the hack, Bible said, but he declined to discuss specific security settings the water utility had in place for the hacked equipment, citing an ongoing investigation.
The US water sector, which spans 150,000 public water systems, has often struggled to find the cash and personnel to deal with hacking threats. In a 2020 survey, just 19% of water professionals were confident that fees and rates could cover existing services for their utilities, let alone the cost of upgrading their infrastructure.
The Biden administration has tried to use a mix of regulation and federal support for new cyberdefense technologies to address the problem. But the Environmental Protection Agency in October was forced to rescind a key cybersecurity regulation for public water systems following a legal challenge from Republican attorneys general.
Many smaller water utilities “don’t have the help they need, in part because they don’t know where to go or who to ask for help, especially without paying an arm and a leg,” said Jennifer Lyn Walker, director of infrastructure cyber defense for the Water Information Sharing and Analysis Center, an industry threat-sharing group. “The fact is that smaller utilities don’t have to be in this alone. There is a lot of assistance (and) guidance available for no or low cost.”
The type of industrial computers used by Aliquippa water authority, known as programmable logic controllers (PLCs), allow machinery to communicate at industrial plants around the world. The PLCs are generally supposed to be cut off from the public internet to prevent hackers from getting in.
But Ron Fabela, an industrial cybersecurity expert, told CNN on Tuesday that he has found numerous cases — at critical infrastructure facilities in multiple states — of the exact same make and model of equipment that was compromised at the Aliquippa water authority that were sitting on the public internet. That can make gaining access to sensitive industrial facilities relatively easy for hackers.
Fabela said he has reached out to the FBI and CISA to help get the industrial equipment secured. CNN has requested comment from those agencies.
“Insecure access to critical infrastructure is still the primary attack vector for threat actors like (the pro-Iran group),” said Fabela, who works at industrial security firm Xona Systems.
Hospitals forced to reroute ambulances
A recent cyberattack forced multiple hospitals across several states to reroute ambulances on Thanksgiving Day.
Some facilities were also forced to reschedule non-emergency surgery. All of the affected hospitals were owned, or partly owned, by Ardent Health Services, a Tennessee-based company that owns more than two dozen hospitals in at least five states.
A new federal program aims to warn critical American companies their systems are vulnerable to ransomware attacks. The US Cybersecurity and Infrastructure Security Agency says it has warned 60 organizations in sectors including healthcare and water they are vulnerable to such attacks.
After suspected Iranian hackers claimed a string of recent attacks on Israeli security cameras, Israeli and US officials expressed concerns about potential ransomware attacks.
The FBI has accused Iranian government-backed hackers of an attempted hack of Boston Children’s Hospital in 2021, which did not endanger patients but nonetheless alarmed US officials. Tehran denied the allegation.
In recent weeks, US officials have been preparing for a similar scenario in which Iranian hackers conduct a disruptive attack on US critical infrastructure, a senior US official previously told CNN, speaking on the condition of anonymity because they were not authorized to talk to the press.
This story has been updated with new information.
™ & © 2023 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.