November 4, 2024 By Jonathan Reed 3 min read

American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks.

The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that its operations and water quality were not affected, American Water’s shutdown of its billing system and customer portal highlights the critical intersection between operational technology (OT) and information technology (IT) vulnerabilities in essential services.

The state of the water and wastewater industry

Water and wastewater systems in the U.S. are vital to public health and the environment, but they also suffer from chronic underfunding, legacy infrastructure and an expanding attack surface. The reliance on OT systems, many of which lack modern security protections, has made these utilities particularly susceptible to cyber threats.

According to a report by CISA, pro-Russia hacktivists have increasingly targeted industrial control systems (ICS) within water utilities, often exploiting default passwords, unsecured remote access points and other weak cyber hygiene practices.

Water systems are unique in that they rely on complex networks of ICS to manage critical functions, such as treatment processes and distribution. These systems were not initially designed with cybersecurity in mind, leading to a patchwork of protections that fail to meet today’s threat landscape.

Attackers, particularly nation-state actors, view water utilities as valuable targets because of their potential to disrupt civilian infrastructure and cause widespread panic. And due to their lack of robust security, water systems are easier to breach. Overall, the water sector’s vulnerabilities make it a key target for adversaries seeking either monetary gain or to exert geopolitical pressure.

Explore cybersecurity services

The public notification process under CIRCIA

American Water’s decision to disclose the cyberattack via an 8-K filing highlights its role as critical infrastructure and the regulatory requirements tied to such status. The 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) mandates that critical infrastructure entities report cyber incidents to CISA within 72 hours of detection. This is part of a broader federal initiative to ensure timely reporting and response to cyber threats targeting essential services.

Under CIRCIA, organizations are required to notify not only federal agencies like CISA but also the public, particularly when service disruptions or data breaches affect consumers. In this case, American Water’s 8-K filing serves as both a legal and public notification, as the Securities and Exchange Commission (SEC) mandates that publicly traded companies report material events that could impact their financial standing.

This notification process is crucial for maintaining public trust in critical services. While American Water assured the public that water quality and operational processes were not impacted, the transparency in disclosing the cyberattack speaks to the heightened regulatory environment in which critical infrastructure operators now function.

Existing cybersecurity regulations and standards

The water sector, like many other critical infrastructure sectors, operates under a framework of voluntary and mandatory cybersecurity standards. In 2023, the U.S. Environmental Protection Agency (EPA) attempted to introduce mandatory cybersecurity audits for water utilities under its enforcement of the Safe Water Drinking Act.

These audits were meant to assess the cybersecurity posture of utilities, many of which have struggled to implement baseline security measures, such as multi-factor authentication (MFA) and network segmentation. However, legal challenges from several states have delayed the full implementation of these mandates, and the regulatory landscape remains in flux.

CISA has also issued comprehensive guidance on securing ICS and OT systems in the water and wastewater sectors. This guidance, outlined in its Cross-Sector Cybersecurity Performance Goals (CPGs), includes recommendations for reducing the exposure of critical systems to the internet, enforcing strong password policies and ensuring that outdated industrial devices are replaced or securely managed.

The increasing frequency of cyberattacks on the water sector has prompted a broader national discussion on the need for more stringent regulations and industry-wide standards. In response, the Biden administration has emphasized the importance of building resilience within water systems through cybersecurity training, threat sharing and investment in security technologies.

Urgent need to make water safe

The American Water cyberattack underscores the vulnerabilities that continue to plague the water and wastewater sectors, particularly at the intersection of IT and OT. With ongoing threats from nation-state actors and hacktivist groups, the water industry must urgently strengthen its cybersecurity posture.

American Water’s transparency in reporting the incident and cooperation with CISA and law enforcement set a necessary precedent for other critical infrastructure providers. As cybersecurity regulations continue to evolve, water utilities will need to prioritize cyber hygiene, adopt best practices from federal agencies and prepare for the inevitability of future attacks.

More from News

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today