America’s Largest Water Utility Falls Victim to Cyberattack

Hacker

American Water, the largest water utility in the U.S., falls victim to a cyberattack, forcing a halt to billing services while water operations remain unaffected.

At a Glance

  • American Water Works, serving 14 million people across 14 states, reported a cyberattack.
  • Billing services and customer support systems were shut down as a precautionary measure.
  • Water and wastewater operations remain unaffected, ensuring continued safe service.
  • The company is working with cybersecurity experts and law enforcement to address the incident.
  • This attack highlights ongoing cybersecurity vulnerabilities in the U.S. water sector.

Cyberattack Disrupts American Water’s Customer Services

American Water Works, the nation’s largest regulated water and wastewater utility company, announced on Monday that it had fallen victim to a cyberattack. The incident prompted the company to take swift action, including the suspension of its billing services and the shutdown of specific systems to prevent further unauthorized activity.

The attack, discovered on October 3, has affected the company’s MyWater account system and call center operations. American Water, which serves approximately 14 million people across 14 states and 18 military installations, has assured customers that their water and wastewater services remain unaffected by the incident.

Company Response and Impact

In response to the cyberattack, American Water has taken decisive steps to protect its systems and data. The company stated that it is working “around the clock” to address the situation and has engaged cybersecurity experts to assist with containment and mitigation efforts.

“The Company has taken and will continue to take steps to protect its systems and data, including disconnecting or deactivating certain of its system,” American Water reported in a statement.

While the full impact of the incident is yet to be determined, American Water has reassured its customers that they will not incur late charges while the systems are down. The company has also filed a report with the Securities and Exchange Commission (SEC) and notified law enforcement authorities about the attack.

Broader Implications for U.S. Water Infrastructure

This cyberattack on American Water underscores the growing vulnerability of critical infrastructure in the United States, particularly in the water sector. The Environmental Protection Agency (EPA) has highlighted significant cybersecurity weaknesses, with over 70% of water systems not fully compliant with the Safe Drinking Water Act.

The incident follows recent warnings from cybersecurity agencies about ongoing threats to operational technology and industrial control systems in the water sector. It also comes in the wake of reports that a Chinese state-sponsored threat actor has been targeting critical infrastructure, including water systems, for up to five years.

Call for Enhanced Cybersecurity Measures

The attack on American Water has reignited calls for stronger cybersecurity measures in the water sector. Currently, much of the sector’s cybersecurity efforts are voluntary, leading to criticism of the EPA and demands for Congress to enhance the agency’s authority.

In response to rising threats, the EPA plans to increase water security inspections. Additionally, a new critical infrastructure policy requires annual risk mitigation updates from utility companies. American Water’s 2023 annual report detailed the company’s “defense-in-depth” cybersecurity strategy, based on the National Institute of Standards and Technology (NIST) framework, highlighting the growing importance of robust cybersecurity measures in the water sector.

As investigations into the American Water cyberattack continue, the incident serves as a stark reminder of the ongoing challenges facing U.S. critical infrastructure and the urgent need for enhanced cybersecurity protocols across all sectors.

Sources:

  1. American Water Works believes no water, wastewater facilities affected by cyberattack
  2. American Water pauses billing after cyberattack
  3. Major U.S. water company hit by cyberattack
  4. American Water disables systems following cyber attack
  5. American Water, the Largest Water Utility in US, Is Targeted by a Cyberattack
  6. American Water Works cyberattack forces company to pause billing