Cyberattack Disrupts Water Company Billing: How Did They Respond?

Person in hoodie using computer with code on screen.

American Water, the largest water utility in the U.S., faces a cyberattack that has disrupted its billing systems and customer services, raising concerns about the vulnerability of critical infrastructure.

At a Glance

  • American Water, serving 14 million people across 14 states, reported a cyberattack affecting its billing systems.
  • The company’s MyWater account system and call center are down, but water and wastewater facilities remain unaffected.
  • Cybersecurity experts and law enforcement have been engaged to contain and mitigate the attack.
  • The incident highlights ongoing cybersecurity vulnerabilities in the U.S. water sector.

Cyberattack Disrupts American Water’s Operations

American Water Works, the largest regulated water and wastewater utility company in the United States, has fallen victim to a cyberattack that has forced the suspension of its billing systems and customer service operations. The New Jersey-based company, which serves approximately 14 million people across 14 states and 18 military installations, discovered unauthorized activity in its computer systems on October 3.

In response to the breach, American Water has taken immediate protective measures, including shutting down certain systems to prevent further unauthorized access. The company’s MyWater account system has been paused, affecting billing processes and customer appointments. Additionally, the company’s call center is currently non-operational due to the attack.

Impact on Customers and Company Response

While the cyberattack has disrupted customer-facing services, American Water has assured the public that its water and wastewater facilities remain unaffected. The company stated that it “currently believes that none of its water or wastewater facilities or operations have been negatively impacted by this incident.” To mitigate inconvenience to customers, American Water has announced that no late charges will be incurred while its systems are down.

“The Company has taken and will continue to take steps to protect its systems and data, including disconnecting or deactivating certain of its system,” American Water reported in a statement.

The company has engaged cybersecurity experts to “assist with the containment and mitigation activities” and is working “around the clock” to resolve the issue. American Water has also notified law enforcement and filed a report with the Securities and Exchange Commission (SEC).

Broader Implications for U.S. Water Security

This cyberattack on American Water is not an isolated incident but part of a concerning trend of increasing cyber threats to critical infrastructure, particularly in the water sector. The Environmental Protection Agency (EPA) has highlighted significant cybersecurity vulnerabilities, with over 70% of water systems not fully compliant with the Safe Drinking Water Act. “Disabling cyber attacks are striking water and wastewater systems throughout the United States,” according to a recent letter from cybersecurity experts.

The White House has warned about the vulnerabilities of over 170,000 U.S. water systems, and there have been calls for Congress to enhance the EPA’s authority in addressing these cybersecurity weaknesses. In response to the rising threats, the EPA plans to increase water security inspections, and a new critical infrastructure policy now requires annual risk mitigation updates.

Looking Ahead: Strengthening Water Sector Cybersecurity

As the investigation into the American Water cyberattack continues, with no group yet claiming responsibility, the incident serves as a stark reminder of the urgent need for enhanced cybersecurity measures in the water sector. American Water’s 2023 annual report detailed a “defense-in-depth” cybersecurity strategy based on the NIST framework, highlighting the company’s awareness of the threats it faces.

However, the successful breach underscores the sophistication of cyber threats and the ongoing challenges in protecting critical infrastructure. As American Water works to restore its systems and assess the full impact of the attack, the incident is likely to prompt renewed discussions about cybersecurity investments and regulatory frameworks to safeguard America’s water supply.

Sources:

  1. American Water Works believes no water, wastewater facilities affected by cyberattack
  1. American Water pauses billing after cyberattack
  1. Major U.S. water company hit by cyberattack
  1. American Water disables systems following cyber attack
  1. American Water Warns of Billing Outages After Finding Hackers in Its Systems
  1. American Water, the Largest Water Utility in US, Is Targeted by a Cyberattack
  1. American Water Works cyberattack forces company to pause billing
  1. American Water, largest water utility in US, dealing with cyberattack