TechHub: Water Utilities of All Sizes Deserve Strong Cybersecurity

Small water/wastewater providers don’t expect to be the target of a cybersecurity attack — especially one from a foreign government-backed group.

Malicious hackers tend to pursue large organizations with deep pockets in high-profile industries (e.g., MGM Resorts), but not always. The Municipal Water Authority of Aliquippa, which serves about 7,000 customers in Western Pennsylvania, is dealing with an attack from the Iranian-backed hacker group CyberAv3ngers.

“This attack in Aliquippa dispels the myth we often hear at GrayMatter, which is that small utilities and organizations aren’t targets,” says Scott Christensen, GrayMatter’s Cybersecurity Practice Lead.

Prioritize Security

"Water utilities want to be able to do the right things to protect their systems," Christensen said. "But they're often in a position where they have to choose the low-cost provider, or they don't have appropriate staff resources. Usually, that means security gets sacrificed."

In an interview with the Pittsburgh Post-Gazette, Christensen noted that the malicious hacker group appears to have exploited a Unitronics system at Aliquippa's utility to gain command and control capability over a remote facility that regulates water pressure.

Unitronics is a low-cost provider that has weak security protocols compared to similar systems on the market, he said.

Fortunately, the incident did not impact customers. Christensen said many utilities require IT employees to wear many hats. That means very few utilities have employees who specialize in cybersecurity for operational technology, the physical plant systems that connect to its larger network.

Compensating Controls Lower Risk

Aliquippa is not a GrayMatter customer. But its cybersecurity challenges mirror those of utilities across North America that GrayMatter has helped to build strong cybersecurity defenses.

"Water utilities really need to be empowered to do the right things," Christensen said.

"You never know what is going to cause someone to attack you. So, adopting the best cybersecurity hygiene practices is the way to go," he said. "That's why we try to help hundreds of water utilities raise the bar and bring maturity to their cybersecurity programs."

Devices with poor built-in security are a major concern that deserves more attention, Christensen said, noting research from the SANS Institute.

"The phrase we use is compensating controls," Christensen said. "You need a partner to help you figure out how to protect the equipment you're using, no matter its type. Then you can have a strategy to identify potential security gaps and build a more mature cybersecurity system."

Find Out More

Download GrayMatter's OT Cybersecurity eBook for more insight on industrial cybersecurity

DOWNLOAD THE GUIDE

Additional Reading
Learn more about the CyberAv3ngers' motivations related to the Israel-Hamas war on Cyberscoop.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.