American Water, a publicly traded United States water and wastewater utility company, was subjected to a cyber attack last week.
With over 6,500 employees, the firm provides water and wastewater services to over 14 million people across 14 states and 18 military installations in the U.S.
The attack forced American Water to shut down some of its systems, including its online customer portal and billing services.
While the motive behind the attack still remains unbeknownst, it is suspected to be a ransomware attack, a form of malware that encrypts a victim’s data and demands a ransom payment for its decryption.
American Water has not yet publicized the perpetrators of the cyber attack but issued an official statement in Form 8-K, a broad form used to notify investors in the U.S.
According to the official statement, the company learned of unauthorized activity within its computer networks and systems on October 3, 2024. This activity was determined to result from a cybersecurity incident.
“Upon learning of this activity, the Company immediately activated its incident response protocols and third-party cybersecurity experts to assist with containment and mitigation activities and to investigate the nature and scope of the incident,” stated Stacy A. Mitchell, the executive vice president and general counsel.
The wastewater service immediately notified the pertinent authorities and is coordinating with law enforcement completely to get to the bottom of the issue.
Water supply “completely safe”
American Water is continuing to take action to protect its system and data, including disconnecting or deactivating some of its systems.
The company currently believes that this incident has not negatively impacted its water or wastewater facilities or operations.
The full impact of the breach is yet to be determined, however, American Water does not expect the incident to have a material effect on the company, neither its financial condition nor the outcome of its operations.
The attackers allegedly gained unauthorized access to American Water's systems and networks. The reason has not been established yet but the breach was likely carried out through a vulnerable spot in the system or some sort of exploitation.
Once inside, they were able to disrupt operations and potentially steal data.
The firm was able to respond immediately and carried out actions to contain the damage including informing the necessary authorities. The company also assured customers that there would be no late charges while services were unavailable.
In a similar incident recently, Arkansas City’s water treatment facility was also subjected to a cyber attack on September 22, 2024, which forced it to switch to manual operations.
The water treatment facility said that the water supply was “completely safe” without “disruption to service.”
TLP warning for cyber attacks targeting water sector
However, the Cybersecurity and Infrastructure Security Agency (CISA) said it continued to respond to the active exploitation of internet-accessible operational technology (OT) and industrial control systems (ICS) devices including those in the water and wastewater sector (WWS).
“Exposed and vulnerable OT/ICS systems may allow cyber threat actors to use default credentials, conduct brute force attacks, or use other unsophisticated methods to access these devices and cause harm,” the agency said.
Such incidents are cautioning the authorities of the growing threat of cyber attacks against critical infrastructure.
In fact, the Federal Bureau of Investigation (FBI) in its annual Internet Crime Report revealed that it received reports of over 2 in 5 ransomware attacks.
Of the 2,825 ransomware attacks reported to the FBI last year, over 40% targeted critical infrastructure organizations.
WaterISAC issued a TLP: AMBER alert in 2022 which is a Traffic Light Protocol (TLP) label used when information is needed to take action. The advisory particularly warned of Russian-linked cyber attacks targeting the water sector.
On September 18, 2024, the U.S. Environmental Protection Agency (EPA) also issued guidance on improving cybersecurity in drinking water and wastewater systems (WWSs). It aims to assess gaps in current cybersecurity practices and controls and identify actions that may mitigate the risk of future cyber attacks.
