American Water, the United States’ largest publicly regulated water and wastewater utility, has reported a cyber-attack affecting its internal systems. The New Jersey-based company, which serves over 14 million people across 14 states, discovered unauthorized activity within its networks on October 3, prompting immediate action to secure its operations.
Impact on Operations and Customer Services
In a regulatory filing with the U.S. Securities and Exchange Commission (SEC) on Monday, American Water assured us that the cyber incident had not compromised the functionality of its water and wastewater facilities. These critical infrastructure components operate normally, maintaining essential services for millions of Americans.
However, the company has taken precautionary measures in response to the breach:
- Specific systems have been disconnected to prevent further unauthorized access
- Customer billing operations have been suspended until further notice
- Late charges for customers have been waived during this period
American Water spokesperson Ruben Rodriguez emphasized the company’s commitment to protecting customer data and mitigating potential damage.
While the full scope of the breach is still under assessment, Rodriguez confirmed that law enforcement has been notified, and internal teams are working tirelessly to investigate the nature of the attack.
Cybersecurity Concerns in Critical Infrastructure
Earlier this year, U.S. intelligence agencies, including the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), warned of successful breaches by state-sponsored hackers from China targeting various critical infrastructure sectors, including water systems.
The American Water breach follows a series of high-profile cyber-attacks on water utilities in recent years. A notable incident occurred in 2021 in Oldsmar, Florida, where hackers attempted to poison the water supply by altering chemical levels.
These events underscore the potential for cybercriminals and nation-state actors to target essential public services, raising significant concerns about national security and public safety.
Challenges Facing Water Utilities
The attack on American Water brings attention to the broader challenges faced by the water sector, which often struggles with insufficient cybersecurity funding. Tim Erlin, a security strategist at Wallarm, pointed out that water utilities are increasingly reliant on modern digital technologies, such as APIs and web applications, which can introduce new vulnerabilities.
“Water and wastewater treatment facilities are often underfunded when it comes to cybersecurity, but they face the same threats as other organizations,” Erlin warned. He noted that while CISA has focused on the water and wastewater treatment sector, implementing necessary changes requires time and budget allocation.
The Role of Identity Security
Sean Deuby, a cybersecurity expert at Semperis, commented that the American Water attack was not entirely unexpected, given the increasing number of warnings issued by federal agencies. Deuby emphasized that the most common method used by attackers to gain access to such systems is through identity-based attacks, targeting vulnerable identity management systems like Active Directory.
“One common thread across all these campaigns is the use of identity for initial access, propagation, privilege escalation, and persistence,” Deuby explained. He advised organizations to prioritize protecting mission-critical systems that are frequently targeted by threat actors, whether they’re nation-state actors or cybercriminals.
