H2-Oh No: Cyber Breach Hits American Water

American Water is up a creek, so to speak. The largest regulated water and wastewater utility company in the United States has fallen victim to a digital security breach.

On October 3, the New Jersey-headquartered corporation discovered suspicious activities within its computer networks and systems. American Water, which serves over 14 million individuals across 14 states and 18 military bases with water and wastewater services, has officially acknowledged the incident.

Incident and response

“This activity has since been determined to be the result of a cybersecurity incident,” the company stated. “In an effort to protect our customers’ data and to prevent any further harm to our environment, we disconnected or deactivated certain systems. We proactively took MyWater offline, which means we are pausing billing until further notice. We are working diligently to bring these systems back online safely and securely.”

According to American Water, they currently have no evidence to suggest that the cyber incident has adversely affected their water or wastewater facilities or operations, stating “At this time, we currently believe that none of our water or wastewater facilities or operations have been negatively impacted by this incident. There will be no late charges or services shut off while MyWater remains unavailable.”

This is reassuring news for their millions of customers who rely on these essential services. However, the company has candidly admitted that the full scope and consequences of the cyberattack remain unclear at this time.

“American Water activated third-party cybersecurity professionals to assist with our investigation into the nature of the incident,” the company said. “This investigation is ongoing and will take time to complete. We take the cybersecurity of our systems with utmost seriousness and are taking additional steps to strengthen the cybersecurity of American Water’s systems. Our customers and the data we maintain remain our highest priorities.”

Cybersecurity concerns and mitigation

The cyber attack is little surprise to most in the industry, considering the heightened focus on cybersecurity in the water sector. This incident follows recent EPA guidance to water and wastewater operators on facility security, and a March memo from the Biden administration alerting governors to the rising threat of cyberattacks on water infrastructure.

The attack’s context is part of a broader trend in cybersecurity vulnerabilities. As Sean Deuby, principal technologist at Semperis, notes, “Today, there is no silver bullet that will solve the cybersecurity challenges facing public and private sector organizations. Today, the most commonly used identity system, Active Directory, is compromised in 90 percent of cyberattacks.”

The gravity of the situation is highlighted by recent international security efforts.

“Attacks have increased at such a rapid pace that the Five Eyes Alliance of the US, Canada, Australia, the UK, and New Zealand recently issued a comprehensive report, specifically focused on Active Directory, providing guidance on defense against 17 common attacks against this identity system,” adds Deuby.

Regarding the American Water Works incident specifically, Deuby observes, “While we don’t yet know which threat actor targeted this important critical infrastructure utility company, American Water appears to have responded quickly and effectively to isolate the damage caused by the cyberattack – a commendable response executed under duress.”

Cybersecurity professionals must stress the importance of a holistic defense strategy to their end users. Businesses must focus on safeguarding essential systems that are frequent targets for both state-sponsored hackers and criminal groups. Key measures include continuous monitoring for threats, more frequent security assessments, implementing staff cybersecurity education programs, and securing Active Directory to prevent unauthorized access and lateral movement within networks.

Learn how to implement a strong incident response plan to detect, contain, eradicate, and recover from security breaches to minimize damage and restore operations.