Threats

Major U.S. water company hit by cyberattack

American Water Works Company said there does not appear to be any impact to water services.

October 7, 2024

American Water headquarters in Camden, New Jersey. (Photo by Ajay Suresh / https://flic.kr/p/2pC3JsS)

A New Jersey-based company responsible for providing water to more than 14 million people was hit by a cyberattack which appears to only resulted in the loss of billing systems, according to a Securities and Exchange Commission filing Monday.

American Water Works Company, which first learned of the attack on Oct. 3, said there does not appear to be any impact to water or wastewater services. No ransomware gang has claimed responsibility for the attack on the company, which has operations in 14 states and serves at least 18 military installations.

There has been a steady increase in cyberattacks against water facilities in recent years, as both states and criminals exploit the sector, which experts deem vulnerable. The White House has spent many months warning about the vulnerabilities of the more than 170,000 water systems in the United States, including by sending a letter to governors in March.

At the same time, the Environmental Protection Agency has faced heavy criticism for the sector’s vulnerability, as the industry has faced a rash of hacks against water facilities. Meanwhile, the sector continues to be a largely voluntary operation when it comes to cybersecurity efforts, which critics say is dependent on Congress revamping EPA’s authorities. The Government Accountability Office has also noted as recently as August that the EPA has not identified or prioritized the greatest risks in the sector.

The EPA has announced plans to increase water security inspections in response to the increasing threats. Additionally, a recent reboot of a landmark critical infrastructure policy will require the government to provide yearly risk mitigation updates through a national plan on infrastructure risk.

While the American Water hack does not appear to impact vital services or operations, the company noted that it is “unable to predict the full impact of this incident” and disconnected some systems. The 8-K filing also notes that American Water does not expect the hack to have a “material effect on the company, or its financial condition or results of operations.”

The company took billing services offline and noted on its website that customers will not incur late charges and water services will not be shut off while they work to get back online.

The company said in a statement to CyberScoop that it had “contacted and [is] receiving assistance from law enforcement, and we are coordinating fully with them.”

In its 2023 annual report, American Water wrote that the company’s “capital investment totaled $2.7 billion, and we are well on track to deliver $3.1 billion in investments in 2024.”

The annual report also included a section on the company’s cybersecurity effort, highlighting a “defense-in-depth” strategy that uses the National Institute of Standards and Technology’s cybersecurity framework. The company “periodically reviews and modifies the implementation of its cybersecurity strategy based on threat trends, program maturity, the results of assessments, and the advice of third-party security consultants,” per the report.