American Water has recently reported a significant cybersecurity incident that has disrupted its computer networks and systems, impacting its customer portal and billing functions. The company, which is the United States’ largest publicly traded water and wastewater utility, based in Camden, New Jersey, reassured its clients that their water services remain unaffected.
The intrusion was first identified on October 3, 2024, prompting American Water to initiate emergency measures to safeguard customer information and protect both its online and physical infrastructure. As a precautionary step, the company has temporarily deactivated its customer portal, MyWater, resulting in the suspension of billing activities until further notice.
While details regarding the nature of the attack remain unclear—whether it constitutes a data breach or a ransomware event—American Water has activated a team of cybersecurity professionals to address the situation. In their security advisory, the company emphasized that these experts are working continuously to mitigate the effects of the cyberattack.
Customers have been advised that the quality and safety of their water supply continue to meet established standards and that there are no expectations of service interruptions. To alleviate customer concerns over billing and account access, American Water has announced that no late fees or service disconnections will occur while its customer portal remains offline. However, the company’s call center is operational but with limited functionalities, focusing primarily on customer support.
This incident follows closely on the heels of revelations regarding a cyber breach involving the Chinese government-backed Salt Typhoon APT group, which successfully infiltrated major telecom companies in the United States, such as AT&T and Verizon. These developments underline the growing vulnerabilities faced by critical infrastructure sectors, including water utilities.
Security expert Tim Erlin of Wallarm commented on the implications of such attacks on critical infrastructure, stressing that the digital transformation of these systems makes them susceptible to similar threats. He pointed to past incidents, including the 2021 Oldsmar water facility breach in Florida, which demonstrate the persistent challenges in maintaining cybersecurity within water treatment facilities.
Recent analyses from cybersecurity firm Censys reveal that thousands of Industrial Control Systems (ICS) in the U.S. and the U.K. are at risk of cyberattacks, highlighting the potential for significant threats to critical infrastructure, including water systems.
In light of this incident and its context, potential tactics from the MITRE ATT&CK framework may apply, particularly in the areas of initial access through phishing or exploiting vulnerabilities, persistence in maintaining access to affected systems, and privilege escalation to exploit administrative privileges. As businesses navigate an increasingly complex cyber threat landscape, understanding these tactics is crucial for safeguarding assets and operations.
