Hackers break into two government water purification systems in Pennsylvania

Local media and security researchers in Pennsylvania, U.S., report that a specialized unit of the Federal Bureau of Investigation (FBI) is investigating multiple hacking attempts against two major public water systems in the state. These hacking attempts come after a group of hackers successfully gained access to a water system in Florida in early 2021.

Guy Kruppa, superintendent of belle Vernon Municipal Authority, mentions: “This is alarming because of the type of service we provide; we continue to monitor chlorine and PH levels of water supplied to more than 2,000 households to prevent threat actors from manipulating these critical indicators.”

Kruppa also notes that if more chlorine or more phosphate is added to the water supplied, users’ health could be compromised, which could only be prevented with full drainage of deposits: “It’s certainly an extreme we don’t want to reach,” the official says.

As mentioned at the beginning, this is a situation that was reached a few months ago in Oldsmar, Florida. On that occasion, local authorities mentioned that a hacker managed to access water systems and raise the level of sodium hydroxide; this substance is used as a disinfectant agent although in high quantities it can be highly harmful. Fortunately, Florida public officials detected this malicious activity and overturned the modifications in time.

After revealing the attack, the public water authority in Pennsylvania shared some cybersecurity tips for implementation in other public organizations, including 2,000 municipal authorities. Local authorities also asked municipal organizations to establish an annual cybersecurity plan to prevent potential attacks, however infrastructure constraints in these organizations can backfire and become a real security risk.

A federal law passed three years ago requires water system controllers to assess potential cybersecurity risks and prepare an emergency response plan, although smaller systems are not subject to these guidelines.

On the other hand, cybersecurity specialist Scott Christensen mentions that hacking attempts against these resources have increased recently: “We have detected an increase in the number of security incidents targeting industrial assets such as pumps, valves and facilities in general.”

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.