American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks.

The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that its operations and water quality were not affected, American Water’s shutdown of its billing system and customer portal highlights the critical intersection between operational technology (OT) and information technology (IT) vulnerabilities in essential services.

The state of the water and wastewater industry

Water and wastewater systems in the U.S. are vital to public health and the environment, but they also suffer from chronic underfunding, legacy infrastructure and an expanding attack surface. The reliance on OT systems, many of which lack modern security protections, has made these utilities particularly susceptible to cyber threats.

According to a report by CISA, pro-Russia hacktivists have increasingly targeted industrial control systems (ICS) within water utilities, often exploiting default passwords, unsecured remote access points and other weak cyber hygiene practices.

Water systems are unique in that they rely on complex networks of ICS to manage critical functions, such as treatment processes and distribution. These systems were not initially designed with cybersecurity in mind, leading to a patchwork of protections that fail to meet today’s threat landscape.

Attackers, particularly nation-state actors, view water utilities as valuable targets because of their potential to disrupt civilian infrastructure and cause widespread panic. And due to their lack of robust security, water systems are easier to breach. Overall, the water sector’s vulnerabilities make it a key target for adversaries seeking either monetary gain or to exert geopolitical pressure.

The public notification process under CIRCIA

American Water’s decision to disclose the cyberattack via an 8-K filing highlights its role as critical infrastructure and the regulatory requirements tied to such status. The 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) mandates that critical infrastructure entities report cyber incidents to CISA within 72 hours of detection. This is part of a broader federal initiative to ensure timely reporting and response to cyber threats targeting essential services.

Under CIRCIA, organizations are required to notify not only federal agencies like CISA but also the public, particularly when service disruptions or data breaches affect consumers. In this case, American Water’s 8-K filing serves as both a legal and public notification, as the Securities and Exchange Commission (SEC) mandates that publicly traded companies report material events that could impact their financial standing.

This notification process is crucial for maintaining public trust in critical services. While American Water assured the public that water quality and operational processes were not impacted, the transparency in disclosing the cyberattack speaks to the heightened regulatory environment in which critical infrastructure operators now function.

Existing cybersecurity regulations and standards

The water sector, like many other critical infrastructure sectors, operates under a framework of voluntary and mandatory cybersecurity standards. In 2023, the U.S. Environmental Protection Agency (EPA) attempted to introduce mandatory cybersecurity audits for water utilities under its enforcement of the Safe Water Drinking Act.

These audits were meant to assess the cybersecurity posture of utilities, many of which have struggled to implement baseline security measures, such as multi-factor authentication (MFA) and network segmentation. However, legal challenges from several states have delayed the full implementation of these mandates, and the regulatory landscape remains in flux.

CISA has also issued comprehensive guidance on securing ICS and OT systems in the water and wastewater sectors. This guidance, outlined in its Cross-Sector Cybersecurity Performance Goals (CPGs), includes recommendations for reducing the exposure of critical systems to the internet, enforcing strong password policies and ensuring that outdated industrial devices are replaced or securely managed.

The increasing frequency of cyberattacks on the water sector has prompted a broader national discussion on the need for more stringent regulations and industry-wide standards. In response, the Biden administration has emphasized the importance of building resilience within water systems through cybersecurity training, threat sharing and investment in security technologies.

Urgent need to make water safe

The American Water cyberattack underscores the vulnerabilities that continue to plague the water and wastewater sectors, particularly at the intersection of IT and OT. With ongoing threats from nation-state actors and hacktivist groups, the water industry must urgently strengthen its cybersecurity posture.

American Water’s transparency in reporting the incident and cooperation with CISA and law enforcement set a necessary precedent for other critical infrastructure providers. As cybersecurity regulations continue to evolve, water utilities will need to prioritize cyber hygiene, adopt best practices from federal agencies and prepare for the inevitability of future attacks.