Three members of Congress, U.S. Sens. John Fetterman and Bob Casey, and U.S. Rep. Chris Deluzio, have called on the U.S. Justice Department to investigate a recent cyberattack on a water authority near Pittsburgh. The breach has prompted the nation's top cyberdefense agency to issue a warning to other water and sewage-treatment utilities about potential vulnerabilities. The lawmakers expressed concerns about the safety of Americans' drinking water and other critical infrastructure, urging Attorney General Merrick Garland to take action to protect against "nation-state adversaries and terrorist organizations."

The compromised industrial control system at the water authority in Aliquippa, Pennsylvania, was manufactured by Unitronics, an Israeli company. A photo released by the Municipal Water Authority of Aliquippa suggests that the hackers deliberately targeted the facility because of its connection to equipment made in Israel. The image captured a message from the hackers stating, "Every equipment 'made in Israel' is Cyber Av3ngers legal target." The group using the name Cyber Av3ngers had previously claimed responsibility for hacking ten water treatment stations in Israel. While it remains unclear if any equipment was shut down during those attacks, U.S. officials believe Cyber Av3ngers is behind the recent breach in Pennsylvania.

According to Matthew Mottes, the chairman of the Aliquippa water authority, federal officials informed him that hackers had also breached four other utilities and an aquarium. Although it is believed that other authorities have been affected, Aliquippa is believed to be the first to be targeted. Leading cybersecurity companies, Check Point Research and Google's Mandiant, have identified Cyber Av3ngers as a hacktivist group aligned with the Iranian government. The group's activities have intensified since the Israel-Hamas war, with a particular focus on targeting Israeli critical infrastructure.

The programmable logic controller breached in Pennsylvania is widely used in various industries, including water and sewage-treatment utilities, electric companies, and oil and gas producers. The device, manufactured by Unitronics, regulates processes such as pressure, temperature, and fluid flow. The U.S. Cybersecurity and Infrastructure Security Agency has confirmed that Unitronics is the manufacturer of the compromised device. However, it is unknown whether other facilities using Unitronics equipment have been hacked or are vulnerable.

The cyberattack on the water authority in Aliquippa prompted the temporary halt of pumping operations at a remote station responsible for regulating water pressure in two neighboring towns. The system was taken offline, and manual operation was implemented as a precautionary measure. This incident highlights the insufficient attention paid to cybersecurity by many water utilities.

Interestingly, the cyberattack occurred less than a month after the Environmental Protection Agency rescinded a rule that would have required U.S. public water systems to include cybersecurity testing in their regular audits. This rollback was a result of a federal appeals court decision in a case brought by Missouri, Arkansas, and Iowa, with support from a water utility trade group. The Biden administration has been striving to strengthen the cybersecurity of critical infrastructure, but critics argue that too many vital industries are allowed to self-regulate.

The U.S. cybersecurity agency has warned that the attackers likely exploited cybersecurity weaknesses, including poor password security and exposure to the internet, to breach the Unitronics device in Aliquippa. Although the exact method used in the hacking is unknown, Mottes trusts the judgment of the federal agency in this matter. The incident serves as a reminder of the pressing need to address cybersecurity vulnerabilities in critical infrastructure to ensure the safety and security of essential services.