A New Jersey-based utility, American Water, which supplies water to more than 14 million people, reported a cyberattack in an SEC filing on October 3, 2024.
The attack appears to have impacted only the company's billing systems, with no disruption to water or wastewater services. The company, which operates in 14 states and supports 18 military installations, emphasized that no ransom demand has been made, and no known group has claimed responsibility for the breach. Efforts are underway to assess the full scope of the incident.
The incident highlights ongoing concerns about the vulnerability of critical infrastructure, even when operational systems remain unaffected. In this case, while water services were not interrupted, the attack on billing systems serves as a reminder of how interconnected business systems can still be a point of weakness.
"Water utilities make up a particularly vulnerable portion of our critical infrastructure. Part of this is due to the age of their physical plant, but it's also symptomatic of our failure to prioritize modernizing and securing these utilities," said
Col. Cedric Leighton, CNN Military Analyst; U.S. Air Force (Ret.), Chairman, Cedric Leighton Associates, LLC. "While this attack 'only' impacted American Water's billing system, we have to keep two things in mind. One of these is that billing is the lifeblood of any business—otherwise it can't receive any revenues. The other is that data is the new 'gold.' By that, I mean that data on individuals, their bank accounts, their credit card numbers, their buying habits, and many other aspects of their lives can be monetized or exploited in many different ways, some of which we're just beginning to understand."
For cybersecurity professionals, this attack emphasizes the need for securing not only operational technology (OT) but also enterprise systems like billing and customer data, which can be equally attractive targets for attackers seeking to disrupt or extort critical services. The lack of a ransom demand or attribution at this stage may suggest either opportunistic attackers or a group probing defenses for future operations.
"Every ransomware attack that is hitting our critical infrastructure faster and faster should be a steadfast reminder that we must be cyber defense strong. We need to be one step ahead of the attackers, but also practicing on a monthly basis table top drills and scenarios constantly," said Erika Voss, CISO at DAT Freight & Analytics. "Ransomware is hitting us harder and faster, and we do not want to lose ground. Get out your IRP, and starting having the discussions with your leadership team, but also your SOC operators—they are your first line of defense."
The company said on Tuesday that it shut down its customer service portal, and as a result, its billing function "until further notice," and will not charge any late fees or other fees related to billing as long as the system is down.
"This attack highlights an unavoidable truth: every company is a legitimate target for cyber attackers, and the only effective defense is the proactive cybersecurity program. This is doubly true when dealing with critical infrastructure," said Jake Bernstein, Esq., Partner, Data Protection, Privacy & Security Group, K&L Gates LLP.
According to the company's website, American Water is one of the fastest growing utilities in the U.S. and expects to invest $34 to $38 billion in infrastructure repairs and replacement, system resiliency, and regulated acquisitions over the next 10 years. Time will tell if the cyberattack causes any disruption to the company's plans.
"A fast-growing company like American Water that runs a key component of our critical infrastructure is a lucrative cyber target for both state-sponsored and non-state actors," said Col. Leighton.
Critical infrastructure has been the target of many attacks of late.
"The cyberattack on American Water underscores critical vulnerabilities in essential infrastructure. Although the company acted swiftly to secure operations and maintain water services, the incident highlights the pressing need for robust cybersecurity measures," said Jason Soroko, Senior Fellow at Sectigo. "Potential risks include operational disruptions, data breaches, and erosion of public trust. Utilities must implement layered security protocols, conduct regular audits, train employees on cyber threats, and collaborate with government agencies to safeguard against evolving attacks. A thoughtful evaluation of legacy systems and their capability to be secured is needed."
Soroko added, "Most technical staff in critical infrastructure such as water systems are experts in uptime, ensuring that systems delivering water safely are always available. This is a different skill set from cybersecurity and a challenge to balance."
In the category of "we're too small for something like this to happen to us," Arkansas City, Kansas, experienced a cybersecurity incident on September 22, 2024, affecting its water treatment facility. The incident prompted a shift to manual operations.
Late last year, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded to an active Iran-led cyberattack on a water facility in western Pennsylvania, shedding light on the exploitation of Unitronics programmable logic controllers (PLCs) within the Water and Wastewater Systems (WWS) sector.
The U.S. Environmental Protection Agency (EPA) in May of this year sounded the alarm over critical cybersecurity vulnerabilities impacting community water systems across the United States. In a new Enforcement Alert, the agency is calling on water utilities to immediately enhance their digital defenses to protect public health and safety.
John Gallagher, Vice President of Viakoo Labs at Viakoo, said that IoT, OT, and ICS lend themselves to exposures of physical systems.
"Any organization that operates or relies on cyber-physical systems should be concerned, as these devices and systems are often the most easily compromised within their operations, whether directly or through lateral movement," Gallagher said. "Having an accurate asset inventory, ensuring that these systems are on separate networks, and having automation to perform firmware updates at scale are a few of the most critical areas to focus on."
Gallagher continued, "As we saw with Colonial Pipeline, having access to internal IT systems can cause major disruption in pipeline and water systems (with Colonial it was a exploited billing server that caused the pipeline to shut down). As was reported late last year, malicious Iranian hackers breached a Pennsylvania water utility. Clearly, because of their potential for causing fear, uncertainty, and potentially massive damage, threat actors are targeting critical infrastructure including water systems."
"In an era of global supply chains and global supply chain threats, operators of IoT, OT, and ICS systems should be asking for SBOMs and proof of supply chain security from the vendors of equipment that is used," Gallagher concluded.
[RELATED: Understanding CISA's New Guide on Software Bill of Materials (SBOM)]
