American Water, the largest publicly traded water and wastewater utility company in the U.S., was forced to shut down some of its systems following a cyberattack on Thursday. In a filing with the U.S. Securities and Exchange Commission (SEC), the company stated that it has brought in third-party cybersecurity experts to contain the breach and assess its impact. American Water has also reported the incident to law enforcement and is working with them in an ongoing investigation.
According to the company’s 8-K regulatory filing, it has disconnected or deactivated certain systems as a precautionary measure to protect its data and infrastructure. Additionally, the attack forced American Water to shut down its online customer portal, MyWater, and suspend billing services.
Company spokesperson Ruben Rodriguez assured customers that they would not face late charges while the systems remain offline. “Our dedicated team of professionals is working around the clock to investigate the nature and scope of the incident,” he said, adding that, so far, no water or wastewater facilities or operations appear to have been negatively affected by the breach.
American Water serves over 14 million people in 14 states and on 18 military installations, with a workforce of more than 6,500 employees.
This attack on American Water follows a similar incident that hit the water treatment facility in Arkansas City, Kansas, forcing it to switch to manual operations. These incidents align with a TLP:AMBER advisory from the Water Information Sharing and Analysis Center (WaterISAC), which warned of Russian-linked cyberattacks targeting the water sector.
Earlier this year, other state-sponsored attacks were reported, including Chinese-backed Volt Typhoon hackers infiltrating drinking water systems in February and Iranian threat actors breaching a Pennsylvania water facility in November 2023.
In response to these rising threats, the U.S. Environmental Protection Agency (EPA) recently issued guidelines to help water and wastewater system (WWS) operators assess their cybersecurity defenses and take measures to reduce their exposure to cyberattacks.