American Water Works Co. Inc., the largest regulated water and wastewater utility company in the U.S., has suffered from a cyberattack that has affected its customer portal and billing services.
First disclosed in a regulatory filing, the company described the attack as “unauthorized activity within its computer networks and systems,” which they subsequently learned was the “result of a cybersecurity incident.” American Water Works then subsequently activated its incidence response plan, hired third-party cybersecurity experts and contacted law enforcement.
“The Company has taken and will continue to take steps to protect its systems and data, including disconnecting or deactivating certain of its systems,” American Water Works added in the filing. “The Company currently believes that none of its water or wastewater facilities or operations have been negatively impacted by this incident.”
A spokesperson for American Water Works told CBS News that the company had “disconnected or deactivated certain systems” and that “there will be no late charges for customers while these systems are unavailable.”
While the form of cyberattack was not disclosed, the ransomware duck test comes into play. If it looks like ransomware and sounds like ransomware it usually is. That American Water Works chose to disconnect systems would indicate that they were attempting to stop an attack — likely ransomware — from spreading laterally through its internal network.
While cyberattacks on utility providers such as Amercian Water Works are becoming commonplace, they present a larger risk than just systems being taken offline.
“We often overlook how vulnerable our everyday essentials are to digital threats. We’re not just talking about data breaches — this is about the safety of millions of people who rely on clean water every day,” Akhil Mittal, senior manager of Cybersecurity Strategy and Solutions at application security software provider Black Duck Software Inc., told SiliconANGLE via email. “A cyber incident like this could disrupt water services, delay safety checks and potentially risk public health.”
Mittal added that the focus now should be on quick action: containing the attack, getting the system back online and being transparent with the public. “As more essential services go digital, cybersecurity needs to be built into the infrastructure from the start, not bolted on later,” he said.