Critical Infrastructure Security

Largest US Water Utility Hit by Cybersecurity Incident

Cyber Incident Affecting American Water Utility Company Leads to Portal Shutdown
Largest US Water Utility Hit by Cybersecurity Incident
American Water said it was shutting down its customer portal and pausing billing operations indefinitely. (Image: Shutterstock)

The largest water utility in the United States is facing a cybersecurity incident that led to the shutdown of its customer portal and a pause on billing until further notice, the organization told customers Monday.

See Also: How to Take the Complexity Out of Cybersecurity

The New Jersey-based American Water utility is the largest regulated water and wastewater company in the U.S., with operations serving over 14 million people across 14 states and 18 military installations. The utility said it learned of "unauthorized activity in our computer networks and systems" that was determined to be the result of a cyber incident on Thursday.

American Water told customers that its water is safe to drink and that the company believes "none of its water or wastewater facilities or operations have been negatively impacted by this incident."

The White House and federal agencies have pressed the U.S. water sector to strengthen cyber resilience for years, publishing a incident response guide in January. The Environmental Protection Agency also announced stepped-up cybersecurity oversight provisions across U.S. drinking water systems in May after identifying "alarming cybersecurity vulnerabilities" at the vast majority of inspected systems (see: EPA Cracks Down on US Water System Cybersecurity Violations).

"Our team is working around the clock to investigate this incident and safely restore our systems," American Water said. "Investigations of this nature take time, and we will provide more information when and as appropriate."

American Water did not immediately return requests for comment. The company said its call center is currently experiencing "limited functionality" due to the shutdown of its customer service portal, MyWater. The utility also said an investigation into the incident "is ongoing and will take time to complete."

The U.S. water and wastewater sector has become an increasingly attractive target for cyberattacks, according to the Cybersecurity and Infrastructure Security Agency. The FBI and Homeland Security recently launched an investigation into a September cyberattack on a Kansas water treatment facility, amid rising concerns of foreign threats targeting U.S. water systems following an Iranian attack on Israeli-made controllers used in American facilities last November (see: Internet-Exposed Water PLCs Are Easy Targets for Iran).

American Utility customers will not be charged late fees or experience a shutoff in services during the system outages, the company said. It remains unclear what information or systems may have been breached during the incident, as well as whether any sensitive customer data was stolen.

Experts previously told Information Security Media Group in March that the water and wastewater sector lack technical resources to comply with federal requests to boost cybersecurity. Jennifer Lyn Walker, director of infrastructure cyber defense for the Water Information Sharing and Analysis Center, said that more technical resources were required in many cases "for these utilities to be able to actually implement even the most basic cybersecurity fundamentals" (see: Water Sector Lacks Support to Meet White House Cyber Demands)


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.