On October 3, 2024, a cyber attack hit American Water, the United States’ largest regulated water utility, forcing the facility to disconnect its systems to contain the incident.
Camden, New Jersey-based American Water provides clean drinking water and wastewater services to more than 14 million people in 14 states and 18 military facilities. It employs over 6,500 people and earned $4.3 billion in the 2024 financial year.
According to Form 8-K regulatory filing with the US Securities and Exchange Commission (SEC), American Water said it learned of the “cybersecurity incident” after detecting “unauthorized activity within its computer networks and systems.”
It responded by activating its internal cyber incident protocols, launching an investigation with internal and external cybersecurity experts, and notifying relevant regulatory and law enforcement authorities.
Largest US public water utility disconnects systems after a cyber attack
The cyber attack forced American Water to shut down certain services including the MyWater customer portal, to protect customer data and “prevent any further harm” to its environment.
“The Company has taken and will continue to take steps to protect its systems and data, including disconnecting or deactivating certain of its systems,” American Water said in an online statement.
The shutdown prevented customers from making bill payments, but the water utility asserted that clients would not face late fees for the “short period” that the systems were unavailable. Late and disconnected fees would also not be assessed for the rest of October.
In addition, customers whose appointments were affected by the cyber attack would be rescheduled to a later date.
Nonetheless, the cyber attack did not affect the safety of drinking water or the company’s operations and would likely have no material impact on operations or financial condition.
“The Company currently believes that none of its water or wastewater facilities or operations have been negatively impacted by this incident,” said American Water.
American Water is working diligently to restore impacted systems after verifying the safety of its cyber infrastructure to prevent a subsequent attack.
On October 10, the water utility announced it had restored the MyWater customer portal and resumed “standard billing processes.” The company’s call center also became operational and ready to handle customer queries.
However, information on whether the cyber attack compromised customer data or involved ransomware was not immediately available. American Water has as yet not determined the attack vector.
“Investigations of this nature take time, and we will provide more information when and as appropriate,” the water utility said.
Meanwhile, American Water says it takes cybersecurity seriously and has taken additional measures to protect its systems, and was also coordinating with relevant authorities to investigate the incident.
Yet another cyber attack on US critical infrastructure
While the American Water cyber attack resembles an ordinary cyber incident, US water systems are under pressure from various threat actors, including politically motivated hacktivists and state-sponsored hackers.
On September 22, 2024, Arkansas City, Kansas, water utility suffered a cyber attack that forced the water treatment facility to resort to manual systems.
“This breach follows numerous warnings about the threat of attackers on critical infrastructure,” reiterated Ryan Sherstobitoff, SVP of Threat Research and Intelligence at SecurityScorecard. “Eight months later, we are still facing unprecedented threats to our nation’s critical systems.”
While the threat actor behind the Kansas water utility cyber attack remains unknown, the incident coincided with the Water Information Sharing and Analysis Center’s (WaterISAC) TLP:AMBER alert, warning about Russian threat actors targeting American water systems.
In November 2023, an Iranian hacktivist group Cyber Av3ngers breached a Pennsylvanian water utility by targeting Israeli-made Unitronics programmable logic controllers (PLCs).
“For cyberattacks and breaches, the key takeaway for organizations is that the question is not “if” but “when” a breach will occur and are they prepared?” Noted James McQuiggan, Security Awareness Advocate at KnowBe4. “As a result, it is necessary to develop strong cybersecurity and risk management incident response programs to reduce the impact of such events and possibly prevent subsequent damage with fortified defenses.”