CAMDEN, N.J. — A significant cyberattack is currently impacting the largest water and wastewater utility company in the United States, drawing renewed attention to the need for stronger protections of critical infrastructure systems.
Based in New Jersey, American Water announced a temporary halt to customer billing while disclosing the cyber incident on Monday. The company first identified the unauthorized activity on the preceding Thursday, swiftly initiating protective measures, which included shutting down various systems. Fortunately, water services remained unaffected as safeguards were maintained throughout the week.
American Water provides drinking water and sewage services to over 14 million residents across 14 states and 18 military bases. The firm has indicated that it does not believe its core facilities or operations were compromised; however, personnel were diligently working “around the clock” to assess the full nature and extent of the breach.
The nature of the attack on American Water seems to be geared more towards information technology rather than affecting operational capabilities, as suggested by Jack Danahy, Vice President of Strategy and Innovation at NuHarbor Security, a security firm based in Colchester, Vermont.
“Historically, people have not viewed essential services like water and wastewater management as vulnerable to threats, but this incident highlights how swiftly such problems can arise,” Danahy stated. “As services like billing have become more accessible online, they are exposed to a broader array of risks and threats that weren’t as prevalent before.”
In light of these events, the U.S. Cybersecurity and Infrastructure Security Agency, along with the Environmental Protection Agency, have called upon water systems to take immediate precautions this year to safeguard the nation’s drinking water supply. According to the EPA, about 70% of inspected utilities recently were found to be in violation of standards designed to prevent breaches or unauthorized access.
