The American Water cyberattack: Explaining how it happened

What is American Water?

American Water is one of the largest water and wastewater utility companies in the United States.

The company was founded in 1886 as American Water Works & Guarantee Company and provides drinking water, wastewater management and other related services to an estimated 14 million people in 14 states. It also provides services to 18 military installations across the country. The company operates through regulated subsidiaries in each state.

American Water owns and operates an extensive network of facilities that includes surface water treatment plants, groundwater treatment plants and wastewater treatment plants. American Water also operates more than 53,000 miles of transmission, distribution and collection mains and pipes.

What is the nature of the cyberattack?

As of Oct. 10, 2024, full details on the American Water cyberattack have not been publicly disclosed.

What is known is American Water became aware of unauthorized activity in its computer networks and systems on Oct. 3, 2024. American Water characterized the unauthorized activity as a "cybersecurity incident," but the specific type or method of attack has not been disclosed.

Unauthorized activity is generally a reference to a threat actor somehow gaining access to a system and executing some form of action. That action could be any number of things -- including deploying ransomware, personally identifiable information disclosure or some form of action that could disrupt the operations of a company.

Who was affected?

Given the broad use of American Water's services across the U.S., the cyberattack on American Water has the potential to affect many individuals and organizations, including the following:

• More than 14 million people across 14 states and 18 military installations.
• Employees and stakeholders of American Water.

While the company has stated its water and wastewater facilities and operations remain unaffected by the incident, the disruption to customer-facing systems has affected service.

Timeline of the attack

• Oct. 3, 2024: American Water detected unauthorized activity within its computer networks and systems.
• Oct. 3-7, 2024: The company activated incident response protocols, engaged cybersecurity experts and notified law enforcement.
• Oct. 7, 2024: American Water publicly disclosed the cyberattack through an SEC filing and a statement on its website.
• Oct. 8, 2024, onward: Investigation and recovery efforts continue, with systems remaining offline and billing operations paused.

Who was responsible for the attack?

As of Oct. 10, 2024, attribution for the attack has not been made.

American Water is working alongside law enforcement and third-party cybersecurity experts to determine the nature and scope of the attack, as well as to determine attribution.

Among the potential sources of the attack are nation-state actors. U.S. water facilities in 2023 and in 2024 have allegedly been breached by Russian-, Chinese- and Iranian-backed cyberattackers.

What is the impact of this attack?

The attack affected American Water several ways, including the following:

• System shutdowns. American Water had to shut down certain systems, including its online customer portal -- MyWater.
• Customer service disruption. With the online portal shut down, customers lost access to the self-service platform.
• Billing suspension. The company paused its billing functions which further disrupts customers. American Water disclosed that it would not charge any late fees or other fees related to billing while the system is down.
• Potential data breach. While not confirmed, there is a risk that customer data might have been compromised.
• Reputational damage. As a critical infrastructure provider, public trust in American Water's ability to protect its systems and customer data could be affected.

American Water said the company does not believe any of its water or wastewater facilities have been negatively affected by the incident. The company did not report any compromise to water quality or service delivery.

How does this compare to other infrastructure attacks?

Critical infrastructure attacks -- particularly against water facilities -- are unfortunately not a unique phenomenon. Over the last several years, multiple attacks have occurred, affecting operations and customers alike.

EPA warns of alarming cybersecurity vulnerabilities

Multiple agencies within the U.S. government have been warning about the potential of cybersecurity vulnerabilities against critical infrastructure.

In January 2024, multiple agencies including Cybersecurity and Infrastructure Security Agency, the FBI and the Environmental Protection Agency published a joint guide on incident response for water utilities. In May 2024, the EPA followed up with an alert outlining what it referred to as urgent cybersecurity threats and vulnerabilities related to the U.S. drinking water system. A primary goal of the EPA warning was to help ensure compliance with the Safe Drinking Water Act (SDWA) Section 1433, which details the need for updated risk and resilience assessments, as well as emergency response plans.

The alert provides insight into the state of water systems, as well as some recommendations. It details the following:

• Widespread vulnerabilities. More than 70% of inspected water systems do not fully comply with the SDWA's cybersecurity requirements under section 1433.
• Noncompliance. Since 2020, the EPA has taken more than 100 SDWA enforcement actions against community water systems for violations of Section 1433.
• Recommendations. The agency recommends several actions for water systems, including reducing exposure to public-facing internet, conducting regular cybersecurity assessments and changing default passwords.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.