American Water Works, a company that provides water and wastewater services to customers in 14 states, recently reported a cyberattack on its IT systems. Although the breach was unspecified, the company assured that its operational technology (OT) systems were unaffected by the incident.
In response to the cyberattack, American Water Works issued a statement through an SEC filing and a FAQ on its website. The company announced that billing would be paused temporarily, with no late charges being added to customer bills. Additionally, call center services were limited during this time.
The FAQ explained that certain systems were disconnected or deactivated to protect customer data and prevent further harm to the environment. As a precautionary measure, MyWater, an online billing service, was taken offline until further notice. The company assured customers that the water supply remained safe to drink and stated that efforts were ongoing to determine if any customer data was compromised during the breach.
The cybersecurity incident was first detected on Oct. 3, prompting American Water Works to activate its incident response protocols and engage third-party cybersecurity experts to contain and mitigate the unauthorized activity within its computer networks. Law enforcement was promptly notified, and investigations into the nature and scope of the incident are ongoing.
While the full impact of the cyberattack remains uncertain, American Water Works believes that its water and wastewater facilities have not been negatively affected. IT teams are actively working to safeguard systems and data by implementing necessary security measures, including disconnecting or deactivating specific systems.
Speculation among cybersecurity analysts suggested that the incident could potentially be a ransomware attack, although the company did not confirm the nature of the attack. It is noteworthy that the water systems maintained their functionality despite the cyberattack, which highlights the importance of segregating IT and OT systems to enhance cybersecurity resilience.
American Water Works serves a significant number of communities across 14 states in the Central and Eastern U.S., as well as in California and Hawaii. The company’s operations extend to states like Iowa, Missouri, Illinois, Indiana, Kentucky, Tennessee, Georgia, West Virginia, Virginia, Pennsylvania, Maryland, and New Jersey.
This cyberattack on American Water Works is part of a worrying trend in the water sector, following a similar incident in Kansas and a recent Government Accountability Office (GAO) report advocating for increased EPA protections for water utilities. Researchers have raised concerns about the escalating cyber threats facing water utilities, emphasizing vulnerabilities stemming from outdated systems and inadequate security protocols.
The urgency to implement robust security measures in water utilities is underscored by the alarming fact that a significant percentage of inspected facilities fail to meet basic cybersecurity standards. The potential risks of operational disruptions and contamination of drinking water supplies pose significant threats to public health, necessitating immediate action to bolster security measures and safeguard critical infrastructure.
In conclusion, the recent cyberattack on American Water Works underscores the pressing need for enhanced cybersecurity measures in the water sector, highlighting the vulnerabilities that expose critical facilities to potential threats. Addressing these weaknesses through network segmentation and HMIs hardening is crucial to fortifying water utility security and ensuring the continuous and safe delivery of essential services to the public.