America’s largest U.S. water utility hit with massive cyberattack

American Water, the largest regulated water and wastewater utility in the U.S., has fallen victim to a major cyberattack. The Camden, NJ-based company reported the breach on Monday after identifying suspicious activity days earlier and notifying law enforcement. The U.S. public utility giant American Water currently provides drinking water and wastewater services to over 14 million people throughout the United States.

In a filing with the Securities and Exchange Commission (SEC) on October 3, American Water revealed “unauthorized activity” on its computer networks. The company said that it disconnected some of its systems after discovering a breach in its internal networks by hackers last week.

However, the company stated that its water and wastewater services remain unaffected, but it hasn’t yet disclosed which systems were impacted or the type of attack involved.  While the full impact of the breach is still being assessed, the company noted that it’s “currently unable to predict the full extent of this incident.”

American Water Hacked

Confirming the hack, American Water said in a statement that on October 3, 2024, it identified unauthorized activity within its computer networks, which was confirmed to be a cybersecurity incident. Upon discovering the breach, American Water said it immediately activated its incident response protocols and brought in third-party cybersecurity experts to assist with containment, mitigation, and investigation efforts.

“Upon learning of this activity, the Company immediately activated its incident response protocols and third-party cybersecurity experts to assist with containment and mitigation activities and to investigate the nature and scope of the incident,” American Water Works explained in a detailed 8-K regulatory filing on Monday. “The Company also promptly notified law enforcement and is coordinating fully with them. The Company has taken and will continue to take steps to protect its systems and data, including disconnecting or deactivating certain of its systems.”  

While the full impact is still being evaluated, the company does not expect the incident to have a material effect on its financial condition or operations.

“Although the Company is currently unable to predict the full impact of this incident, the Company does not expect the incident will have a material effect on the Company, or its financial condition or results of operations,” the company said.

Hackers Breached the Internal Networks of American Water in A Major Cybersecurity Incident

While the investigation is still ongoing, American Water said it does not expect the incident to have a significant effect on its finances or operations. However, U.S. public utility giant American Water says it has disconnected some of its systems after discovering that hackers breached its internal networks last week. In a statement, Ruben Rodriguez, a spokesperson for American Water said:

“In an effort to protect our customers’ data and to prevent any further harm to our environment, we disconnected or deactivated certain systems. There will be no late charges for customers while these systems are unavailable.”

Rodriguez refused to specify which systems were affected or provide details about the nature of the cybersecurity breach.

“Our dedicated team of professionals are working around the clock to investigate the nature and scope of the incident,” Rodriguez said.

This attack on American Water follows heightened warnings from the U.S. government, which has raised concerns about the growing threat of state-backed hackers targeting the country’s water infrastructure.

Commenting on the incident, Tim Erlin, a security strategist at Wallarm, emphasized that critical infrastructure is increasingly exposed to the same cybersecurity risks faced by other industries, especially as these organizations rely more on APIs and digital applications.

Erlin referenced prior cybersecurity breaches, such as the 2021 attack in Oldsmar, Florida, which impacted water safety, and a more recent incident at a Kansas water treatment plant that led to the implementation of manual controls. He suggested that American Water’s decision to disconnect systems might indicate an API or web application attack.

Water and wastewater facilities, Erlin pointed out, often face challenges with cybersecurity funding, yet they are just as vulnerable as other sectors. He noted that CISA, the federal agency responsible for securing critical infrastructure, has focused on improving cybersecurity in this area, though progress is slow due to budget and time constraints.

Last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about the ongoing exploitation of internet-connected operational technology (OT) and industrial control systems (ICS) in the water sector. The alert highlighted vulnerabilities that cybercriminals could exploit to access these systems using basic methods like default credentials or brute force attacks.

This alert followed a separate cybersecurity incident at Arkansas City’s water treatment plant, where federal agencies are currently investigating the attack. Local authorities have reassured residents that the water supply remains safe, although specific details about the breach are still unclear.