American Water Company, the largest regulated water and wastewater utility company in the United States, said it was the victim of a “cybersecurity incident” last week, leading it to take its MyWater customer portal offline.
The company said in an SEC filing Monday that it detected “unauthorized activity” on its computer networks on Oct. 3 and immediately activated its incident response protocols, which included disconnecting and deactivating certain systems.
An FAQ regarding the incident on the American Water website notes that billing will be paused, and no late fees or service shutoffs would be applied while the MyWater portal is unavailable.
American Water providers drinking water and wastewater services to more than 14 million people in 14 states, as well as 18 military installations across the United States, according to its website. The company said none of its water or wastewater facilities or operations were negatively impacted by the cybersecurity incident and that its water is still safe to drink.
“Upon learning of the issue, our team immediately activated our incident response protocols, and third-party security experts to assist with containment, mitigation and an investigation into the nature and scope of the incident. We also contacted and are receiving assistance from law enforcement, and we are coordinating fully with them,” an American Water spokesperson said in a statement to SC Media.
The spokesman did not say whether the incident was related to ransomware or any nation-state threat actor, and did not confirm whether customer or employee data was exfiltrated. The SEC filing stated that the company does not expect the incident will have a material affect on the company, its financial condition or the results of its operations.
“We take the cybersecurity of our systems with utmost seriousness and are taking additional steps to strengthen the cybersecurity of American Water’s systems. Our customers and the data we maintain remain our highest priorities,” the incident FAQ stated.
Regulators sounding alarm on water systems security
The incident at American Water comes as government agencies are on high alert about potential cyberattacks on water and wastewater facilities, particularly by foreign nation-state actors like Iran, China and Russia.
In response to attacks on water facilities by the Iran-linked Cyber Av3ngers threat group and the China state-sponsored Volt Typhoon group, White House National Security Advisor Jake Sullivan and Environmental Protection Agency (EPA) Administrator Michael Regan sent a letter to state governors on March 18, 2024, requesting cooperation in strengthening water systems security across the nation.
Around the same time, the EPA began laying out plans to establish a Water Sector Cybersecurity Task Force, which “will identify the most significant vulnerabilities of water systems to cyberattacks, the challenges that water systems face in adopting cybersecurity best practices, and near-term actions and long-term strategies to reduce the risk of water systems nationwide to cyberattacks,” according to Sullivan and Regan.
Officials continue to investigate recent attacks on water facilities, including attacks in Indiana and Texas in April that were claimed by the “CyberArmyofRussia_Reborn” group, which is believed to be connected with the Russian military-aligned advanced persistent threat (APT) group Sandworm.
Attacks on water facilities and other critical infrastructure utilities frequently target weaknesses in operational technology (OT) and industrial control systems (ICS), leading agencies like the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to publish frequent warnings and advisories about OT and ICS security and exploits.
Most recently, CISA partnered on new guidelines by the Australian Signals Directorate’s Australian Cyber Security Centre, along with officials from Canada, Germany, Japan, South Korea, New Zealand and the United Kingdom, which urges critical infrastructure organizations to adhere to six key principles of OT environment security.
