Critical Infrastructure Security
Largest US Water Utility Hit by Cybersecurity Incident
Cyber Incident Affecting American Water Utility Company Leads to Portal ShutdownThe largest water utility in the United States is facing a cybersecurity incident that led to the shutdown of its customer portal and a pause on billing until further notice, the organization told customers Monday.
See Also: How to Take the Complexity Out of Cybersecurity
The New Jersey-based American Water utility is the largest regulated water and wastewater company in the U.S., with operations serving over 14 million people across 14 states and 18 military installations. The utility said it learned of "unauthorized activity in our computer networks and systems" that was determined to be the result of a cyber incident on Thursday.
American Water told customers that its water is safe to drink and that the company believes "none of its water or wastewater facilities or operations have been negatively impacted by this incident."
The White House and federal agencies have pressed the U.S. water sector to strengthen cyber resilience for years, publishing a incident response guide in January. The Environmental Protection Agency also announced stepped-up cybersecurity oversight provisions across U.S. drinking water systems in May after identifying "alarming cybersecurity vulnerabilities" at the vast majority of inspected systems (see: EPA Cracks Down on US Water System Cybersecurity Violations).
"Our team is working around the clock to investigate this incident and safely restore our systems," American Water said. "Investigations of this nature take time, and we will provide more information when and as appropriate."
American Water did not immediately return requests for comment. The company said its call center is currently experiencing "limited functionality" due to the shutdown of its customer service portal, MyWater. The utility also said an investigation into the incident "is ongoing and will take time to complete."
The U.S. water and wastewater sector has become an increasingly attractive target for cyberattacks, according to the Cybersecurity and Infrastructure Security Agency. The FBI and Homeland Security recently launched an investigation into a September cyberattack on a Kansas water treatment facility, amid rising concerns of foreign threats targeting U.S. water systems following an Iranian attack on Israeli-made controllers used in American facilities last November (see: Internet-Exposed Water PLCs Are Easy Targets for Iran).
American Utility customers will not be charged late fees or experience a shutoff in services during the system outages, the company said. It remains unclear what information or systems may have been breached during the incident, as well as whether any sensitive customer data was stolen.
Experts previously told Information Security Media Group in March that the water and wastewater sector lack technical resources to comply with federal requests to boost cybersecurity. Jennifer Lyn Walker, director of infrastructure cyber defense for the Water Information Sharing and Analysis Center, said that more technical resources were required in many cases "for these utilities to be able to actually implement even the most basic cybersecurity fundamentals" (see: Water Sector Lacks Support to Meet White House Cyber Demands)