American Water, the largest publicly regulated water and wastewater utility in the US, has disclosed on Monday that it had fallen victim to a cyber-attack, affecting certain internal systems.
The New Jersey-based company, which provides essential water and wastewater services to over 14 million people across 14 states, said it moved quickly to secure its operations after discovering unauthorized activity within its networks on October 3.
Systems Secured, Billing Paused
In a regulatory filing with the US Securities and Exchange Commission (SEC) on Monday, American Water confirmed that the attack had not impacted the operation of its water and wastewater facilities, which continue to function normally.
However, the company acknowledged that it is still assessing the full scope of the breach.
As a precautionary measure, it has disconnected specific systems and suspended customer billing until further notice. Customers have been assured they will not face late charges during this period.
Ruben Rodriguez, a spokesperson for American Water, told TechCrunch the company’s focus is on protecting customer data and preventing further damage.
He confirmed that law enforcement has been notified, and internal teams are working around the clock to investigate the nature of the breach.
Rodriguez did not disclose which systems were compromised or provide specific details about the type of cyber-attack.
Cybersecurity Concerns in US Critical Infrastructure
The incident comes at a time of increasing concern over cybersecurity vulnerabilities in US critical infrastructure, particularly in water and wastewater systems.
Earlier this year, US intelligence agencies, including the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), warned that state-sponsored hackers from China had successfully breached several critical infrastructure sectors, including water systems. The hackers were said to be capable of maintaining long-term access to these networks, potentially disrupting operations during a crisis.
Read more about the advisory: CISA Warns Critical Infrastructure Leaders of Volt Typhoon
In recent years, there have been several high-profile cyber-attacks on water systems in the US, including an incident in 2021 in Oldsmar, Florida, where hackers attempted to poison the water supply by altering chemical levels.
Such attacks have raised alarms about the potential for cybercriminals and nation-state actors to target essential public services.
Underfunded Water Utilities Face Growing Cyber-Threats
The American Water breach has now once again drawn attention to the water sector’s broader challenges, which often lacks sufficient cybersecurity funding.
Tim Erlin, a security strategist at Wallarm, noted that water utilities are increasingly reliant on modern digital technologies, such as APIs and web applications, which can introduce new vulnerabilities.
“Water and wastewater treatment facilities are often underfunded when it comes to cybersecurity, but they face the same threats as other organizations,” Erlin warned. “CISA [...] has focused on the water and wastewater treatment sector, but these changes take time and budget.”
Focus on Identity Security and Long-Term Solutions
Sean Deuby, a cybersecurity expert at Semperis, also commented on the news, observing that the American Water attack was not entirely unexpected, given the increasing number of warnings issued by federal agencies.
Deuby noted that while the company’s swift response to isolate its systems was commendable, it reflects the broader cybersecurity challenges facing critical infrastructure.
He emphasized that the most common method used by attackers to gain access to such systems is through identity-based attacks, targeting vulnerable identity management systems like Active Directory.
“One common thread across all these campaigns is the use of identity for initial access, propagation, privilege escalation and persistence,” Deuby added. “Organizations should prioritize protecting these mission-critical systems that are always targeted by threat actors, whether they’re nation-state actors or cybercriminals.”
At the time of writing, American Water has not provided a timeline for when its systems will be fully restored, and customers are advised to monitor the company’s website for updates.