Largest US Water Utility Suffers Cyberattack
Hack of critical infrastructure in the US, as American Water admits “unauthorised activity” on computer network and systems
There has been a cybersecurity incident with of America’s largest utility providers, amid increasing geopolitical tensions around the world.
CNBC reported, citing a security statement from American Water, confirmed that it had been targeted in a cyberattack and had to shut down some systems including billing.
Camden, New Jersey-based American Water is said to be the largest water utility in the United States, and it provides drinking water and wastewater services to more than 14 million people, with regulated operations in 14 states and on 18 military installations.
Unauthorised activity
According to the report, the utility admitted that it had learned of “unauthorised activity in our computer networks and systems” last Thursday, which it determined “to be the result of a cybersecurity incident.”
Silicon UK was unable to access the websites of American Water to confirm the statement, as of Wednesday evening.
There has also been no mention of who may be responsible for the hack of a provider of critical US infrastructure.
American Water reportedly said it first learned of the unauthorised computer access on 3 October, and was subsequently able to determine it was a cyberattack.
According to the CNBC report, the utility said on Tuesday that it shut down its customer service portal, and as a result, its billing function “until further notice” and will not charge any late fees or other fees related to billing as long as the system is down.
The firm reportedly said turning off customer systems was intended to protect data, though it added that it is too soon to know whether any customer information is at risk.
America Water reportedly said it remains early in the investigation and “currently believes” that no water or wastewater facilities or operations have been impacted and water remains safe to drink.
Law enforcement and third-party cybersecurity experts are now involved, the company said.
American Water did not immediately respond to a CNBC request for additional comment.
Critical infrastructure
Cyberattacks against water treatment plants have been ongoing for a while now.
In 2016 for example a report from Verizon found at least one example where hackers were able to access the computer systems of a water treatment plant and affect the treating process, exposing people to potential health risks by drinking polluted water.
Officials at the unnamed water utility were able to able to identify and reverse the chemical and flow changes in time.
Then in February 2021 an even more dangerous cyberattack on a water utility came to light, when officials of the US city of Oldsmar in Florida revealed that a hacker had gained access to the water system of the city and had tried to pump in a “dangerous” amount of a chemical.
The hacker had gained access to an internal ICS platform and briefly increased the amount of sodium hydroxide (lye) in Oldsmar’s water treatment system.
Sodium hydroxide is highly corrosive and is often used in drain cleaners. Thankfully for all concerned, a worker spotted the attack and reversed the action, but the consequences of the attack could have been very serious.
But as geopolitical tensions rise around the world, the US has stepped up its warnings to utility providers.
In May 2023 the ‘Five Eyes’ intelligence agencies, as well as tech giant Microsoft, had warned that critical infrastructure in the US was being spied upon by state sponsored Chinese hackers.
CNBC reported that in January a Russian-linked hack of a water filtration plant was carried out in a small Texas town, Muleshoe, located near a US Air Force base.
Then in March 2024, US National Security Advisor Jake Sullivan and Environmental Protection Agency (EPA) Administrator Michael Regan issued a warning to US state governors that foreign hackers are carrying out disruptive cyberattacks against water and sewage systems throughout the country.
In May 2024 the US EPA issued an enforcement alert, and warned that cyberattacks against water utilities across the country were becoming more frequent and more severe.