American Water Works, the country's largest provider of water services to 14 states, recently reported that it was cyber attacked on its information technology system. The current report has indicated that operational technology systems that control delivery of water within the company are not affected. As reported by Bloomberg, the company disclosed to shareholders in a filing with the U.S. Securities and Exchange Commission which forced the company to temporarily suspend billing and limit customer support.
On its website, the American Water Works explained its statement in announcing that certain systems were turned off in an attempt to prevent more damages on its customers' information. Its MyWater online service has been temporarily halted, thus stopping billing processes until the systems can be brought back online. The company assured that water quality is not affected and safe for drinking. Whether the customers' information was accessed remains a determination to be made.
Response to the Incident
The company cannot yet fully assess the impact of the incident but confirms that its water and wastewater operations are unaffected. American Water Works first detected unauthorised activity in its networks on October 3. Upon discovery, the company activated its cybersecurity response protocols and sought the assistance of third-party cybersecurity specialists to help contain and investigate the incident. Law enforcement was notified promptly and are actively involved in ongoing inquiries.
The company's IT teams are scrambling to protect data by isolating some systems that might prevent any possible damage. The exact nature of the attack is still unknown, but such cases of ransomware attacks scare cybersecurity experts, who have noted recent instances in which hackers carried out ransomware attacks. The separation of the IT network from the OT networks by the company, a critical step in cybersecurity for critical infrastructures, may have allowed it to contain the spread of the attack that did not penetrate the core operations.
Cyber Threats Against Water Utilities
The incident is part of a worrying trend of cyberattacks on water utilities. Just two weeks back, a Kansas water utility fell under similar attacks, reviving the renewed debate on protection of critical services. According to a report by Cyble, a cybersecurity firm, groups such as Russia-linked People's Cyber Army are increasingly threatening the water sector through cyber attacks. The report has identified significant vulnerabilities and pointed out that many US water utilities are using outdated systems and those lacking in their cybersecurity practices.
Notably, a similar alarm is sounded by the latest GAO report against the Environmental Protection Agency, which presses for better cybersecurity requirements in water utility providers. A review of the water utilities through inspections reported that almost 70% of them don't comply with basic cybersecurity guidelines, which puts it at the risk of a potential disruption in its operations or even contamination. Cyble's research calls out for contemporary security measures such as network segmentation and strengthening of controls over control systems, among others.
Experts recommend network segmentation for water utilities to separate IT from OT systems; also HMIs that can lock down their monitoring systems. As more and more water utilities bring their systems onto the internet, the chance of cyber threats increases continually. Even as American Water Works works through its recent cyber incident, pressure is growing throughout the industry to harden its defences and protect critical infrastructure in a manner that ultimately protects public health.
Recently, the American Water Works was attacked via a cyber attack that portrays a need for stronger cybersecurity practices in the water industry. As attacks increase in terms of frequency and complexity, companies must implement strong security measures to protect the essentials and assure the public regarding the safety of delivering water.