Late last year, Iran-affiliated hackers began attacking U.S. water systems that use Israeli-made computer equipment to control the addition of chemicals in their treatment plants — with one of the victims being the public water system in Aliquippa.

With the help of the federal government, the industry has developed a playbook to guard against such attacks.

For the most part, precautions operators need to take against the various modes of attack are common-sensical — “cyber 101,” according to David Hozza, assistant teaching professor for cybersecurity at Penn State’s College of Information Sciences & Technology.

Those include firewalls, multi-factorial authentication that includes strong passwords and virtual private networks, rather than internet-connected ones, Hozza said.

The Iran-affiliated hackers attacked Aliquippa’s supervisory control and data acquisition system that ran its programmable logic controllers.

They were able to hack the system because it was on public-facing internet, Hozza said. Such systems allow operators to adjust chemical flows in water treatment plants remotely, including from home.

If a hacker can acquire a username and password for those systems, thus gaining control, the hacker can change the rate of flow for chemicals, potentially harming a system’s customers.

Like many water systems, Aliquippa’s didn’t change the factory-default password on its controller, and hackers were able to obtain it, likely through a simple internet search, and take control of the program, according to Hozza.

Aliquippa also didn’t have a firewall or multi-factor authentication.

“It was a failure on all levels,” Hozza said.

Changing the factory default password to a strong one is a fundamental requirement.

Creating a strong password can prevent hackers from figuring out passwords through “brute force” programs that randomly generate millions of possibilities, running a script for hours, or by using a more efficient “dictionary” tactic that tries a limited set of known passwords, Hozza said.

Passwords should be “unique, strong and complex,” according to the Cybersecurity and Infrastructure Security Agency.

A simple tactic, beyond a strong password, is to lock out those making attempts after three to five failures, Hozza said.

In addition, firewalls are gatekeepers that permit entry only to authorized internet protocol addresses, blocking all other traffic. They retain information on the identity of sites that have proven to be problematic, almost like a “do not fly” list for airports, Hozza said. Their default settings can be denial, he said.

Another tactic, multi-factor authentication, comprises not only usernames and passwords, but also an appropriate response to a texted or emailed code sent to the user, so the user can confirm his or her own identity, according to Hozza.

Then there is the VPN, which encrypts information flowing back and forth, preventing hackers from intercepting usernames, passwords and the like in a form they can interpret, Hozza said.

Organizations also need to keep current with software updates on their equipment, which would contain the latest protective patches, according to a joint-agency advisory published by CISA.