American Water Confirms Cyberattack, Pauses Billing

A cyberattack has hit American Water, the largest regulated water and wastewater utility company in the United States. 

New Jersey-based American Water confirmed it learned of unauthorized activity in its computer networks and systems on Oct. 3. The company provides water and wastewater services to more than 14 million people in 14 states and on 18 military installations.

“This activity has since been determined to be the result of a cybersecurity incident,” it said. “In an effort to protect our customers’ data and to prevent any further harm to our environment, we disconnected or deactivated certain systems. We proactively took MyWater offline, which means we are pausing billing until further notice. We are working diligently to bring these systems back online safely and securely.”

American Water said it believes none of its water or wastewater facilities or operations has been negatively impacted by this incident. However, it's unable to predict the full impact of the cyberattack.

“American Water activated third-party cybersecurity professionals to assist with our investigation into the nature of the incident,” it said. “This investigation is ongoing and will take time to complete. We take the cybersecurity of our systems with utmost seriousness and are taking additional steps to strengthen the cybersecurity of American Water’s systems. Our customers and the data we maintain remain our highest priorities.”

Related:Sophos CEO Joe Levy on Lessons Learned from CrowdStrike-Microsoft Outage

American Water Cyberattack Shows Importance of Critical Infrastructure Security

Marc Manzano, general manager of cybersecurity at SandboxAQ, an AI solutions provider, said incidents like American Water “remind us that investments in cybersecurity for critical infrastructure are no longer optional.”

SandboxAQ's Marc Manzano

“They are an absolute necessity to prevent catastrophic impacts on society,” he said. “With growing threats from cybercriminals and nation-state actors, the importance of securing these systems has never been clearer. It’s not just about protecting data — it’s about maintaining public safety and ensuring the resilience of services we rely on."

Sean Deuby, principal technologist at Semperis, said the American Water cyberattack isn’t surprising given that water treatment and wastewater treatment operators were recently given guidance by the EPA on securing their facilities. Then in March, a memo sent by the Biden administration to U.S. governors warned them of the increase in cyberattacks on water and wastewater treatment plants.

“While we don’t yet know which threat actor targeted this important critical infrastructure utility company, American Water appears to have responded quickly and effectively to isolate the damage caused by the cyberattack, a commendable response executed under duress,” he said. “Today, there is no silver bullet that will solve the cybersecurity challenges facing public and private sector organizations. Today, the most commonly used identity system, Active Directory, is compromised in 90% of cyberattacks. Identity systems have become the new perimeter in cybersecurity. Attacks have increased at such a rapid pace that the Five Eyes Alliance of the United States, Canada, Australia, the United Kingdom and New Zealand recently issued a comprehensive report, specifically focused on Active Directory, providing guidance on defense against 17 common attacks against this identity system.”

Related:Cynomi vCISO Platform: 'Proof Is in the Pudding'

Semperis' Sean Deuby

One common thread across all of these campaigns is the use of identity for initial access, propagation, privilege escalation and persistence, Deuby said.

“Organizations should prioritize protecting these mission-critical systems that are always targeted by threat actors, whether they’re nation-state actors or cybercriminals,” he said. “This includes around-the-clock threat hunting, increasing security audits, organizing security awareness training for employees and locking down Active Directory because it’s a hacker’s highway.”

Related:Fortinet Engage Partner Program Evolves to Services Model