America’s Largest Water and Wastewater Utility Hit by Cyberattack

Tom Ozimek
By Tom Ozimek
October 7, 2024US News
share
America’s Largest Water and Wastewater Utility Hit by Cyberattack
A building belonging to American Water, the largest regulated water and wastewater utility in the country, in Camden, N.J., on June 17, 2024. (Matt Slocum/AP Photo)

American Water Works Company, Inc., the largest regulated water and wastewater utility in the United States, has disclosed that it was the target of a cyberattack.

The New Jersey-based utility, which serves over 14 million people across 14 states and 18 military installations, detected the unauthorized activity on Oct. 3, according to an Oct. 7 regulatory filing and a security-related note on the company’s website.

Stacy Mitchell, executive vice president and general counsel at American Water, wrote in the filing that the company discovered that unknown parties had unlawfully breached the company’s computer networks and systems, prompting the utility to shut down some of its systems, launch an investigation, and contact law enforcement.

Mitchell said that American Water does not believe that the cyberattack negatively impacted any of its wastewater or drinking water systems.

“Although the Company is currently unable to predict the full impact of this incident, the Company does not expect the incident will have a material effect on the Company, or its financial condition or results of operations,” Mitchell wrote in the filing.

The utility’s online customer portal, MyWater, has been temporarily taken offline to protect sensitive data, according to a security-related notice issued by the company. Customers will not incur late fees or face service disruptions while the portal remains down, and the company’s call center is operating with limited functionality. Drinking water remains safe to drink.

“We are working diligently to bring the disconnected systems back online safely and securely,” the notice reads. “Investigations of this nature take time, and we will share information when and as appropriate.”

The attack against American Water happened amid heightened cybersecurity concerns in the water sector.

Several months ago, the U.S. Environmental Protection Agency (EPA) issued an enforcement alert warning of an increasing number of cyberattacks against community water systems. The agency cautioned that such incidents could allow cyber intruders to manipulate operational technology, potentially leading to dangerous consequences, such as the disruption of water treatment processes or the alteration of chemical levels to “hazardous amounts.”

According to the EPA’s alert, a recent review revealed that over 70 percent of inspected water systems violated basic cybersecurity requirements under the Safe Drinking Water Act’s Section 1433, which mandates risk and resilience assessments and emergency response plans. Citing vulnerabilities like unchanged default passwords and inadequate system access controls, the EPA said it had increased its enforcement actions to ensure compliance and mitigate cyber risks.

The Cybersecurity and Infrastructure Security Agency (CISA), which on Oct. 1 launched its 21st Cybersecurity Awareness Month campaign, has repeatedly stressed the importance of securing critical infrastructure. CISA’s guidelines for water utilities include steps such as reducing exposure to public-facing internet networks, updating default passwords, launching multifactor authentication, and conducting regular cybersecurity assessments.

EPA, CISA, and other federal agencies have issued multiple advisories, citing malicious cyber actors from state-sponsored groups such as Iran’s Revolutionary Guard Corps (IRGC), pro-Russia “hacktivists,” and Chinese communist regime-sponsored groups like Volt Typhoon.

“These malicious cyber actors have disrupted some water systems with cyberattacks and may have embedded the capability to disable them in the future,” EPA warned in its alert, which was updated on June 6.

In April, FBI Director Christopher Wray warned that hackers linked to the Chinese Communist Party had infiltrated America’s critical infrastructure and were waiting for the right moment to strike a “devastating blow.”

Wray made the remarks in a speech at Vanderbilt University in Nashville, Tennessee, saying that the threats posed by China-sponsored hackers are no longer a future matter but are “upon us now.”

“Its plan is to land low blows against civilian infrastructure to try to induce panic,” Wray said, adding that China’s hacking program is larger than every other major nation combined, and that the regime is developing the ability to physically attack critical U.S. infrastructure at a time of its choosing.

From The Epoch Times