November 4, 2024 By Jonathan Reed 3 min read

American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks.

The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that its operations and water quality were not affected, American Water’s shutdown of its billing system and customer portal highlights the critical intersection between operational technology (OT) and information technology (IT) vulnerabilities in essential services.

The state of the water and wastewater industry

Water and wastewater systems in the U.S. are vital to public health and the environment, but they also suffer from chronic underfunding, legacy infrastructure and an expanding attack surface. The reliance on OT systems, many of which lack modern security protections, has made these utilities particularly susceptible to cyber threats.

According to a report by CISA, pro-Russia hacktivists have increasingly targeted industrial control systems (ICS) within water utilities, often exploiting default passwords, unsecured remote access points and other weak cyber hygiene practices.

Water systems are unique in that they rely on complex networks of ICS to manage critical functions, such as treatment processes and distribution. These systems were not initially designed with cybersecurity in mind, leading to a patchwork of protections that fail to meet today’s threat landscape.

Attackers, particularly nation-state actors, view water utilities as valuable targets because of their potential to disrupt civilian infrastructure and cause widespread panic. And due to their lack of robust security, water systems are easier to breach. Overall, the water sector’s vulnerabilities make it a key target for adversaries seeking either monetary gain or to exert geopolitical pressure.

Explore cybersecurity services

The public notification process under CIRCIA

American Water’s decision to disclose the cyberattack via an 8-K filing highlights its role as critical infrastructure and the regulatory requirements tied to such status. The 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) mandates that critical infrastructure entities report cyber incidents to CISA within 72 hours of detection. This is part of a broader federal initiative to ensure timely reporting and response to cyber threats targeting essential services.

Under CIRCIA, organizations are required to notify not only federal agencies like CISA but also the public, particularly when service disruptions or data breaches affect consumers. In this case, American Water’s 8-K filing serves as both a legal and public notification, as the Securities and Exchange Commission (SEC) mandates that publicly traded companies report material events that could impact their financial standing.

This notification process is crucial for maintaining public trust in critical services. While American Water assured the public that water quality and operational processes were not impacted, the transparency in disclosing the cyberattack speaks to the heightened regulatory environment in which critical infrastructure operators now function.

Existing cybersecurity regulations and standards

The water sector, like many other critical infrastructure sectors, operates under a framework of voluntary and mandatory cybersecurity standards. In 2023, the U.S. Environmental Protection Agency (EPA) attempted to introduce mandatory cybersecurity audits for water utilities under its enforcement of the Safe Water Drinking Act.

These audits were meant to assess the cybersecurity posture of utilities, many of which have struggled to implement baseline security measures, such as multi-factor authentication (MFA) and network segmentation. However, legal challenges from several states have delayed the full implementation of these mandates, and the regulatory landscape remains in flux.

CISA has also issued comprehensive guidance on securing ICS and OT systems in the water and wastewater sectors. This guidance, outlined in its Cross-Sector Cybersecurity Performance Goals (CPGs), includes recommendations for reducing the exposure of critical systems to the internet, enforcing strong password policies and ensuring that outdated industrial devices are replaced or securely managed.

The increasing frequency of cyberattacks on the water sector has prompted a broader national discussion on the need for more stringent regulations and industry-wide standards. In response, the Biden administration has emphasized the importance of building resilience within water systems through cybersecurity training, threat sharing and investment in security technologies.

Urgent need to make water safe

The American Water cyberattack underscores the vulnerabilities that continue to plague the water and wastewater sectors, particularly at the intersection of IT and OT. With ongoing threats from nation-state actors and hacktivist groups, the water industry must urgently strengthen its cybersecurity posture.

American Water’s transparency in reporting the incident and cooperation with CISA and law enforcement set a necessary precedent for other critical infrastructure providers. As cybersecurity regulations continue to evolve, water utilities will need to prioritize cyber hygiene, adopt best practices from federal agencies and prepare for the inevitability of future attacks.

More from News

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Has BlackCat returned as Cicada3301? Maybe.

4 min read - In 2022, BlackCat ransomware (also known as ALPHV) was among the top malware types tracked by IBM X-Force. The following year, the threat actor group added new tools and tactics to enhance BlackCat's impact. The effort paid off — literally. In March 2024, BlackCat successfully compromised Change Healthcare and received a ransom payment of $22 million in Bitcoin. But here's where things get weird: Immediately after taking payment, BlackCat closed its doors, citing "the feds" as the reason for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today