American Water Works has reported an unspecified cyberattack on its IT systems, but its OT systems were unaffected.
The company, which provides water and wastewater services to customers in 14 states, reported the breach in an SEC filing.
On Oct. 3, American Water Works said it “learned of unauthorized activity within its computer networks and systems, which the Company determined to be the result of a cybersecurity incident. Upon learning of this activity, the Company immediately activated its incident response protocols and third-party cybersecurity experts to assist with containment and mitigation activities and to investigate the nature and scope of the incident. The Company also promptly notified law enforcement and is coordinating fully with them.”
American Water Works said it is “currently unable to predict the full impact of this incident” but it “believes that none of its water or wastewater facilities or operations have been negatively impacted by this incident.”
IT teams continue to take action to protect systems and data, “including disconnecting or deactivating certain of its systems.”
While the company didn’t specify the nature of the attack, speculation immediately arose among cybersecurity analysts that the incident was likely a ransomware attack.
If water systems remain unaffected by the cyberattack, American Water Works may have gotten one critical infrastructure cybersecurity best practice right: separating IT and OT systems via network segmentation and other methods.
American Water Works serves 1700 communities in 14 states, mainly in the Central and Eastern U.S., in addition to California and Hawaii. Other states the company operates in include Iowa, Missouri, Illinois, Indiana, Kentucky, Tennessee, Georgia, West Virginia, Virginia, Pennsylvania, Maryland, and New Jersey.
Water Systems Increasingly Under Attack
The incident follows a similar attack in Arkansas just two weeks ago, and a recent GAO reported called for greater EPA protections for water utilities.
Cyble researchers recently alerted clients to the growing cyber threats facing water utilities from hacktivist groups like the Russia-linked People’s Cyber Army and a high number of internet-exposed SCADAView CSX monitoring and control systems.
“Considering the increasing number of internet-exposed Water Utility assets across the United States, continuing use of outdated systems, and inadequate security protocols in such critical facilities, there is an urgent need to implement robust security measures,” Cyble researchers wrote. “The Environmental Protection Agency (EPA) too has echoed these concerns, noting that a staggering 70% of inspected water utilities do not meet basic cybersecurity standards.”
The Cyble report concluded, “these weaknesses in Water utilities not only pose threats of operational disruptions but also contamination of drinking water supplies, posing significant risks to public health.”
The Cyble report also listed a number of recommendations for strengthening water utility security, including network segmentation and hardening human-machine interfaces (HMIs) for monitoring and controlling central telemetry units (CTUs).