American Water, the largest water and wastewater utility in the U.S., recently confirmed a significant cyberattack affecting over 14 million customers across 14 states. The breach, discovered on October 3, 2024, did not impact the physical operations of water treatment or wastewater facilities, but the company’s customer billing system was suspended as a precaution. The incident has raised concerns about the vulnerability of U.S. infrastructure, particularly in the underfunded water sector, as investigators continue to determine the full scope of the breach.
Was Ransomware the Culprit?
Cybersecurity experts have suggested that the attack may have involved ransomware. The shutdown of the billing system and customer service portal, MyWater, is typically a hallmark of ransomware attacks, where attackers disable core business operations to extort money. Kevin Kirkwood, CISO at Exabeam, speculated that the compromise likely targeted American Water’s internal corporate systems rather than the operational technology (OT) systems that control water treatment facilities. Had OT systems been breached, Kirkwood argued, the impact could have been catastrophic, potentially leading to widespread plant shutdowns or contamination advisories.
Ransomware: A Growing Threat to U.S. Utilities
This incident is part of a growing trend where ransomware attacks are increasingly targeting critical infrastructure sectors, including utilities. In 2021, the Colonial Pipeline attack highlighted how ransomware could severely disrupt the energy sector, and now the water utility sector is under siege. Ransomware attacks not only interrupt essential services but can also erode public trust and cause long-term reputational damage. Andrew Lintell, GM at Claroty, echoed these concerns, noting that even a partial shutdown, like the suspension of billing services, can have a ripple effect on customer trust and satisfaction.
The Soft Target: U.S. Water Infrastructure
The water sector has long been considered a soft target due to its reliance on outdated technology and underfunded cybersecurity defenses. While American Water managed to prevent direct impacts on its water supply systems, the incident serves as a reminder that the water utility sector is vulnerable to a wide range of cyberattacks, from ransomware to more sophisticated nation-state attacks. Many water utilities lack the resources to implement robust cybersecurity defenses, making them an attractive target for attackers seeking to cause disruption on a national scale.
State-Sponsored Threats on the Rise
Although ransomware is the suspected cause of the attack on American Water, experts like Lintell have raised the possibility that the breach could have been part of a broader state-sponsored campaign. U.S. intelligence agencies have been warning about state-sponsored actors, particularly from China and Russia, targeting critical infrastructure for years. In fact, earlier in 2024, the CISA and its international partners issued an advisory about the Chinese-linked Volt Typhoon group, which has been quietly infiltrating U.S. water systems for over five years. These groups often maintain a long-term presence within networks, waiting for an opportune moment to launch a more significant, destabilizing attack.
The Role of OT Systems in Cybersecurity
One of the key areas of concern in the American Water breach is the potential vulnerability of operational technology (OT) systems, which control physical processes like water treatment and distribution. Although the company has assured the public that its water facilities were not affected, OT systems remain a critical point of entry for attackers. As more utilities adopt digital solutions, the convergence of OT and IT (information technology) systems presents new cybersecurity challenges. Attackers who gain access to IT systems can potentially pivot to OT environments, where they could disrupt essential services or even compromise public health.
Incident Response and Mitigation Efforts
American Water responded swiftly to the breach by disconnecting affected systems and suspending billing operations. The company has since brought in third-party cybersecurity experts to assist in the investigation and mitigation process. Law enforcement has also been notified, and the company is working closely with federal authorities to assess the full extent of the attack. While the immediate focus is on containment, the long-term challenge will be strengthening the company’s cybersecurity defenses to prevent future attacks.
Identity Security and Access Control: A Weak Link
One common thread in attacks on critical infrastructure is the exploitation of weak identity security and access controls. Attackers often use compromised credentials to gain initial access to systems, escalate privileges, and move laterally across networks. In the case of American Water, it is still unclear how the attackers gained access, but identity-based attacks are a likely vector. Strengthening identity and access management (IAM) systems, particularly Active Directory, should be a priority for utilities seeking to bolster their defenses.
The Need for a Holistic Cybersecurity Approach
The American Water breach underscores the need for a more holistic approach to cybersecurity in the utility sector. This includes not only securing IT and OT systems but also addressing vulnerabilities in identity management, implementing incident response protocols, and investing in advanced threat detection technologies. Cybersecurity experts have long warned that underfunded sectors like water utilities are ill-prepared to defend against the sophisticated attacks we are now seeing. American Water’s swift response may have mitigated the damage this time, but the incident serves as a wake-up call for the entire industry.
The Ripple Effect: Public Trust and Long-Term Damage
Beyond the immediate operational impacts, cyberattacks on public utilities can have a long-term effect on public trust. When essential services like water supply are targeted, it raises concerns about the reliability of the infrastructure that millions of Americans rely on daily. Even if the attack did not disrupt water delivery, the mere fact that a utility as large as American Water was compromised can erode customer confidence. Lintell warned that public perception is often slow to recover after such incidents, and utilities need to be proactive in rebuilding trust through transparency and improved security measures.
Lessons Learned: Preparing for Future Attacks
The American Water cyberattack offers several lessons for other utility companies. First, it highlights the importance of having a well-prepared incident response plan that can be activated quickly to minimize damage. Second, it underscores the need for continuous monitoring and detection capabilities that can identify suspicious activity before attackers have a chance to do significant harm. Finally, it reinforces the need for utilities to invest in cybersecurity training for employees, as human error is often the weakest link in the security chain.
Conclusion: Strengthening Defenses for the Future
As American Water works to restore its billing systems and investigate the full extent of the breach, the incident serves as a stark reminder of the vulnerabilities facing U.S. critical infrastructure. Whether the attack was driven by ransomware or state-sponsored actors, the lesson is clear: utilities must prioritize cybersecurity. From strengthening identity security to improving incident response capabilities, the steps taken today will determine the resilience of our infrastructure tomorrow.
Author Vladimir Rene
Certified Ethical Hacker, Security management and Microsoft Security Engineer
