American Water, the leading water utility provider in the United States, recently faced a significant cyberattack, prompting immediate action and raising alarms about cybersecurity vulnerabilities in critical infrastructure. The company, based in Camden, New Jersey, stated it experienced "unauthorized activity in our computer networks and systems" last Thursday, identifying the incident as a cybersecurity breach.
"unauthorized activity in our computer networks and systems"
As a direct response to the attack, American Water announced on Tuesday it had taken the precautionary step of shutting down its customer service portal, including all billing functions, "until further notice." In an effort to mitigate the inconvenience to its customers, the utility emphasized that it would not impose any late fees during this disruption.
The increase in cyberattacks targeting water systems across the country presents a pressing issue for national security. With recent incidents linked to geopolitical adversaries such as Russia, Iran, and China, the threat landscape is becoming increasingly dangerous. The Federal Bureau of Investigation (FBI) has previously alerted Congress to the deep infiltration of U.S. cyber infrastructure by Chinese hackers, who are reportedly targeting crucial sectors like water treatment and the electrical grid.
"Taking out critical national infrastructure has become a top priority for foreign-linked cybercriminals," stated an Environmental Protection Agency (EPA) spokesperson. "All drinking water and wastewater systems are at risk — large and small, urban and rural."
"Taking out critical national infrastructure has become a top priority for foreign-linked cybercriminals,"
Impact and Legacy
American Water serves over 14 million individuals across 14 states and operates on 18 military installations, showcasing the broad impact of this attack. Although the company reassured that it currently believes no water or wastewater operations have been disrupted or compromised, the investigation continues with the involvement of law enforcement and external cybersecurity experts.
The response to this incident follows a notable increase in cyber vulnerabilities within the water sector, which prompted the EPA to issue enforcement alerts. Many water systems inspected by the agency did not fully comply with the Safe Drinking Water Act, with alarming cybersecurity deficiencies. “Default passwords that have not been updated, vulnerable single login setups, and former employees who retained systems access” contribute to the rising concern, noted the EPA.
The hacking of water infrastructure is not a solitary incident. In January, a Russian-linked breach targeted a water filtration plant in Muleshoe, Texas, which is strategically located near a U.S. Air Force base. Commenting on the state of security in the water sector, Adam Isles, head of the cybersecurity practice at Chertoff Group, stated, "Water is among the least mature in terms of security."
American Water first discovered the unauthorized access on October 3, determining it was part of a larger cyberattack. However, the situation remains fluid, and both the utility and external analysts are still assessing the full scope of the breach. As of now, the company has not confirmed whether any customer data has been compromised.
The significance of this cybersecurity incident extends beyond mere inconvenience. It highlights a systemic issue that demands immediate attention from both utility providers and government agencies. The consensus among experts is clear — protecting critical infrastructure, particularly water systems, must become a national priority to safeguard public health and safety.
Looking Ahead
With threats continuing to evolve, American Water and others in the sector are under increasing pressure to enhance their cybersecurity measures. As mentioned in their statements, investigations are underway, but it is crucial for the industry to address underlying issues that could leave essential services vulnerable to future attacks.
