American Water Company, the largest publicly traded U.S. water and wastewater utility company, was forced to shut down some of its systems after a Thursday cyberattack.
“On Thursday, October 3, 2024, American Water learned of unauthorized activity in our computer networks and systems,” said the company in a press release. “This activity has since been determined to be the result of a cybersecurity incident. In an effort to protect our customers’ data and to prevent any further harm to our environment, we disconnected or deactivated certain systems.”
“We proactively took MyWater offline, which means we are pausing billing until further notice. We are working diligently to bring these systems back online safely and securely,” said the press release. “Upon learning of the issue, our team immediately activated our incident response protocols and third-party cybersecurity professionals to assist with containment, mitigation and an investigation into the nature and scope of the incident. We also notified law enforcement and are coordinating fully with them.”
The company reported to the U.S. Securities and Exchange Commission (SEC) that it had hired third-party cybersecurity experts to help contain and assess the incident’s impact.
“The Company has taken and will continue to take steps to protect its systems and data, including disconnecting or deactivating certain of its systems,” the 8-K regulatory filing reads.
The MyWater customer portal is offline, pausing billing until further notice but there will be no late charges or services shut off while the system remains unavailable. American Water claims that it regrets any inconvenience caused and is working diligently to resolve the issue.
The utility company believes that none of its water or wastewater facilities or operations have been negatively impacted by the incident. However, the exact details of the nature and number of systems affected, or details of the type of attack vector used remain unclear.
The company owns 80 surface water treatment plants, 480 groundwater treatment plants, 175 wastewater treatment plants, 53,500 miles of pipes, 1,100 groundwater wells, 1,700 water and wastewater pumping stations, 1,100 treated water storage facilities, and 73 dams.
The company serves 14 million people with regulated operations in 14 states and on 18 military installations and it is subject to regulation by multiple state utility commissions or other entities engaged in utility regulation.
Federal, state, and local governments also regulate environmental, health, and safety, and water quality and water accountability matters.
Commenting on the American Water Works cybersecurity incident, Tim Erlin, security strategist at Wallarm, wrote in an emailed statement that critical infrastructure isn’t immune from the digital transformation that other organizations are undergoing, including the reliance on APIs and applications.
“We saw real-world proof that cybersecurity can impact water safety with the 2021 incident in Oldsmar, Florida, and just last month a water treatment plant in Kansas implemented manual controls because of a cyber incident,” Erlin noted. “There’s no doubt that we’ll learn more as the incident investigation progresses, but the fact that they’d disconnected online systems could point to an API or web application attack. Just as other industries have adopted APIs, critical infrastructure has moved forward in how they connect to customers and other facilities.”
He also highlighted that water and wastewater treatment facilities are often underfunded when it comes to cybersecurity, but they face the same threats as other organizations. “CISA, the federal agency tasked with securing critical infrastructure, has focused on the water and wastewater treatment sector, but these changes take time and budget. Of course, the attack surface continues to shift with new technologies, new ways of connecting, and new threats.”
Last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a cybersecurity alert, highlighting ongoing efforts to address active exploitation of internet-accessible operational technology (OT) and industrial control systems (ICS) devices, particularly within the water and wastewater systems (WWS) sector. The alert once again pointed out that exposed and vulnerable OT/ICS systems may allow cyber threat adversaries to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm.
The CISA alert came after a reported cybersecurity incident at Arkansas City’s water treatment plant early Sunday. Officials from the FBI and the U.S. Department of Homeland Security are currently in Arkansas City to investigate the cyberattack. The city has assured residents that the water supply remains safe and uninterrupted. However, details of the nature and number of systems affected remain uncertain.