Cybersecurity Breach at American Water: Billing Hit, Core Safe

American Water
Falling into water droplets

American Water faced a cybersecurity breach affecting its billing, but its core water operations remain secure.

At a Glance

  • Cyberattack disrupted American Water’s billing services, leaving core operations unaffected.
  • The company managed to protect water systems by disconnecting certain vulnerable systems.
  • Steps were taken in coordination with law enforcement and cybersecurity experts.
  • No hacker group has claimed responsibility for the attack.

Attack on American Water Systems

American Water, the largest water and wastewater supplier in the U.S., encountered a cybersecurity attack that has impacted its billing systems. Responsible for providing water services to 14 million customers across 14 states, including important military installations, the company’s immediate priority was ensuring the safety of core operations. Authorities confirmed the company’s water supply and treatment facilities were unaffected by the unauthorized network breaches experienced starting October 3.

The security threat prompted American Water to pause its MyWater account system, halting billing services and rescheduling customer appointments. Additionally, its call center was brought offline as a precautionary measure. Measures prioritized included disconnecting potentially compromised systems to shield critical infrastructure. The organization promptly reached out to cybersecurity experts and informed law enforcement to assess and manage the incident’s ramifications.

Regulations and Cybersecurity Concerns

The cyber event at American Water brings to light broader concerns over the cybersecurity of water systems nationwide. Last year, the EPA reported that over 70% of water systems do not fully comply with cybersecurity regulations under the Safe Drinking Water Act. The EPA plans to enhance inspection routines due to these increasing cyber threats. Notably, no hacker group has claimed responsibility for infiltrating American Water’s networks.

The absence of liability declarations from hackers means American Water continues its collaboration with law enforcement and cybersecurity professionals to prevent such incidents in the future. American Water’s proactive measures were in line with EPA’s plans to increase its oversight through more stringent checks and require companies to submit more frequent risk mitigation reports. The company remains committed to securing its expansive network, which spans over 1,700 communities and includes over 500 water systems.

Next Steps for American Water

Despite the disruptions faced, American Water is focused on reinforcing its systems to avoid such vulnerabilities in the future. This breach underscores the urgency of reassessing cybersecurity strategies within essential service sectors. As part of its 2023 annual report, American Water reported a $2.7 billion capital investment towards better facility management. Plans for 2024 indicate an increment in investment towards strengthening cybersecurity measures. Their approach leans heavily on a “defense-in-depth” strategy, in accordance with the National Institute of Standards and Technology’s framework.

By promptly taking preventive actions as early as October 3 and collaborating with cybersecurity stakeholders, American Water showed a rapid response to maintaining operational efficiency while dealing with the cyber threat. The United States’ water and wastewater systems face an increased frequency of cyberattacks, highlighting the necessity for enhanced protection protocols. With Congress pressed to bolster the EPA’s authority and federal cybersecurity agencies warning of continuous threats, utility companies are urged to ramp up defenses against such attacks on critical infrastructure.