American Water, the largest publicly traded water and wastewater utility in the United States, has had to shut down certain systems following a cyberattack. The attack impacted the company’s online customer portal, MyWater, and paused billing services.
In its 8-K regulatory filing, American Water stated: “Upon learning of this activity, the Company immediately activated its incident response protocols and third-party cybersecurity experts to assist with containment and mitigation activities and to investigate the nature and scope of the incident.”
American Water said it promptly notified law enforcement and is coordinating with them. It also said it has “taken and will continue to take steps to protect its systems and data, including disconnecting or deactivating certain of its systems.”
It believes that none of its water or wastewater facilities or operations have been negatively impacted by this incident, although it is currently unable to predict the full impact of the event.
”The Company has taken and will continue to take steps to protect its systems and data, including disconnecting or deactivating certain of its systems,” the filing added.
With over 6,500 employees, American Water serves more than 14 million people across 14 states, including 18 military installations. This incident follows a recent cyberattack on Arkansas City’s water treatment facility, which forced it to revert to manual operations after detecting unauthorized activity.
Threat Actors Eye the US Water Sector
The cybersecurity threat facing the US water sector is escalating.
Recent attacks have included an incident at the City of Arkansas’s Water Treatment Facility, which was targeted in late September this year. “Out of caution, the Water Treatment Facility has switched to manual operations while the situation is being resolved. Residents can rest assured that their drinking water is safe, and the City is operating under full control during this period,” City Manager Randy Frazer said.
Other events include Chinese cyber-espionage group Volt Typhoon’s infiltration of critical infrastructure networks in the US, including the Water and Wastewater Systems Sector, that remained undetected in some environments for at least five years.
CISA also warned about the Iran-linked threat actor, Cyber Av3ngers, that targeted and compromised programmable logic controllers (PLCs) that the water authority uses to control chemical levels, flow rates, and other processes associated with water and wastewater delivery and treatment.
Addressing the Vulnerabilities
The US Environmental Protection Agency (EPA) has been proactive in addressing these vulnerabilities, providing guidance to water and wastewater system operators on evaluating their cybersecurity measures. This follows calls from the White House for increased support from governors to protect state water systems against cyber threats.
As cyberattacks continue to threaten critical infrastructure, robust cybersecurity practices for water utilities are more crucial than ever.
Follow Best Practices
CISA continues to warn about attacks against operational technology (OT) and industrial control systems (ICS) across critical infrastructure sectors and urges critical infrastructure entities sectors to follow best practices outlined in its report, Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity.
Recommendations include securing OT/ICS systems by changing default credentials, patching vulnerabilities, and segmenting critical devices behind firewalls.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.