Cybersecurity threats continue to evolve, with hackers increasingly targeting critical infrastructure, including water and utility services, healthcare, energy grids, and financial systems. The recent cybersecurity incident at American Water, one of the largest regulated water and wastewater utility companies in the United States, highlights the vulnerabilities that exist within vital public services. As organizations and governments work to fortify their defenses against such attacks, the ramifications of a breach within critical infrastructure go beyond data loss—they pose risks to public health, safety, and national security.
The American Water Cybersecurity Incident: A Brief Overview
On October 3, 2024, American Water Works, a Camden, New Jersey-based utility providing water and wastewater services to over 14 million people across 14 U.S. states, became the target of a significant cybersecurity attack. The utility discovered “unauthorized activity” within its computer network, prompting the immediate disconnection of critical systems to protect sensitive customer data and prevent further harm.
The incident forced American Water to pause its billing operations and temporarily shut down its customer service operations, as it worked to contain the breach and assess its full scope. While the company assured customers that its operational systems—those responsible for water and sewage treatment—remained unaffected, the cybersecurity breach underscored a growing trend of hackers targeting critical services. The company stated that no late charges would be applied while the systems were down and emphasized that it was working closely with law enforcement and cybersecurity experts to address the situation.
Although the precise nature of the attack has not been disclosed, the incident is likely another in a long line of cyber intrusions where hackers seek to gain access to systems, encrypt data, and demand ransoms in exchange for restoring access. This type of ransomware attack has become increasingly common in recent years, especially as cybercriminals have targeted sectors where the disruption of services could have wide-ranging and potentially dangerous consequences.
A Growing Threat
Water utilities, like American Water, represent one of the many sectors categorized as “critical infrastructure” by the U.S. Department of Homeland Security (DHS). Critical infrastructure refers to systems and assets that are essential to the nation’s economy, security, and public health. These include power grids, healthcare systems, telecommunications, transportation networks, and, of course, water and sewage services. A cyberattack on any of these systems has the potential to disrupt essential services, cause significant economic damage, and even lead to loss of life.
The American Water incident is part of a broader trend of increasing cyberattacks against critical infrastructure. Over the past decade, cybercriminals have become more sophisticated, leveraging a combination of ransomware, malware, and phishing techniques to breach organizations’ defenses. In some cases, these attacks have been attributed to state-sponsored actors seeking to weaken or destabilize rival nations. In other instances, criminal groups motivated by profit have targeted public utilities in the hope that the urgency of restoring services will compel organizations to pay substantial ransoms.
One of the most notorious attacks on critical infrastructure occurred in May 2021, when the Colonial Pipeline, a key supplier of gasoline to the Eastern United States, was forced to shut down operations for nearly a week following a ransomware attack. The disruption led to fuel shortages across several states and highlighted the vulnerability of vital services to cyber threats. The American Water incident serves as a reminder that the water utility sector, which often lacks the robust cybersecurity measures present in other industries, is equally vulnerable to such attacks.
The Risks of Cyberattacks on Water Utilities
Water utilities face unique risks when it comes to cybersecurity. These risks stem from the convergence of operational technology (OT), which manages physical processes like water purification and sewage treatment, and information technology (IT), which handles the administrative functions of the organization. Traditionally, OT and IT systems operated in silos, reducing the risk of cross-system contamination. However, the growing interconnectivity of these systems—often referred to as the “Internet of Things” (IoT)—has created new vulnerabilities.
A successful cyberattack on a water utility could have devastating consequences, including:
- Service Disruption: A breach of OT systems could disrupt water supply, affecting millions of people who rely on clean water for drinking, sanitation, and industrial purposes. In extreme cases, hackers could shut down water treatment facilities or manipulate systems to release untreated sewage into the environment.
- Public Health Threats: Cyberattacks could compromise water quality by disabling safety systems or altering chemical dosing processes. For instance, in February 2021, hackers attempted to poison the water supply of Oldsmar, Florida, by increasing the amount of sodium hydroxide (lye) in the water to dangerous levels. The attack was thwarted before any harm could occur, but it demonstrated the real-world dangers of cybersecurity breaches in water treatment plants.
- Economic Impact: The financial consequences of a cyberattack on water utilities can be staggering. The cost of restoring systems, conducting forensic investigations, and compensating customers for service interruptions can run into millions of dollars. Additionally, reputational damage could lead to long-term financial losses as customers lose trust in the utility’s ability to safeguard their data and provide reliable services.
- Environmental Damage: A breach of sewage treatment systems could result in the accidental release of untreated or hazardous wastewater into rivers, lakes, and oceans, causing severe environmental damage. Such incidents could trigger regulatory penalties, lawsuits, and long-term harm to ecosystems.
Ransomware has emerged as one of the most prevalent forms of cyberattacks targeting critical infrastructure. In a typical ransomware attack, cybercriminals infiltrate an organization’s systems and encrypt sensitive data, making it inaccessible to the organization. The attackers then demand a ransom—usually paid in cryptocurrency—in exchange for decrypting the data or refraining from releasing it to the public.
The American Water cybersecurity incident bears several hallmarks of a ransomware attack. The immediate shutdown of key systems, the focus on protecting customer data, and the delay in restoring services all suggest that the company may have been dealing with encrypted systems or compromised networks.
The increasing sophistication of ransomware attacks is driven, in part, by the rise of “ransomware-as-a-service” (RaaS), in which cybercriminals provide ready-made ransomware tools to less-skilled attackers in exchange for a share of the profits. This democratization of cybercrime has led to an explosion in the number of ransomware attacks, with public utilities becoming particularly attractive targets due to their essential role in society.
In some cases, organizations have opted to pay the ransom to quickly restore services, despite warnings from cybersecurity experts and law enforcement agencies that paying ransom only incentivizes further attacks. However, paying the ransom does not guarantee that the attackers will follow through on their promises to decrypt data or refrain from selling stolen information on the dark web.
Regulatory and Governmental Responses to Cybersecurity in Utilities
The increasing frequency of cyberattacks on critical infrastructure has prompted regulatory bodies and government agencies to take action. In the United States, the Cybersecurity and Infrastructure Security Agency (CISA), a division of the DHS, is tasked with coordinating cybersecurity efforts across the country’s critical infrastructure sectors. CISA works closely with private companies, federal agencies, and state governments to enhance cybersecurity resilience through information sharing, training, and threat detection.
In the wake of major cyberattacks like those on the Colonial Pipeline and American Water, there have been calls for stronger cybersecurity regulations in the utility sector. While some utilities have robust cybersecurity measures in place, many others lag due to limited resources, outdated infrastructure, and a lack of cybersecurity expertise. Smaller water utilities, in particular, often struggle to implement comprehensive cybersecurity programs, making them attractive targets for hackers.
To address these gaps, several proposals have been put forward at both the federal and state levels. These include mandatory cybersecurity assessments, incident reporting requirements, and the adoption of best practices for securing OT and IT systems. In 2021, the Biden administration introduced a series of initiatives aimed at strengthening the cybersecurity of critical infrastructure, including enhanced cooperation between the federal government and private companies, increased investment in cybersecurity research, and the development of cybersecurity standards for the utility sector.
Strengthening Cyber Resilience in the Water Utility Sector
In light of the American Water cybersecurity incident and the broader trend of cyberattacks on critical infrastructure, water utilities must take proactive steps to enhance their cybersecurity resilience. These steps should include:
- Segmentation of OT and IT Systems: While the convergence of OT and IT has provided operational efficiencies, it has also created new vulnerabilities. Water utilities should implement network segmentation to isolate critical OT systems from IT networks, reducing the risk of cross-contamination in the event of a cyberattack.
- Regular Vulnerability Assessments: Utilities should conduct regular vulnerability assessments and penetration testing to identify weaknesses in their cybersecurity defenses. These assessments should cover both IT and OT systems, ensuring that all potential entry points for attackers are secured.
- Employee Training and Awareness: Human error remains one of the leading causes of cybersecurity breaches. Water utilities should invest in employee training programs that emphasize the importance of cybersecurity and teach employees how to recognize phishing attempts, malware, and other common attack vectors.
- Incident Response Planning: Every utility should have a comprehensive incident response plan in place that outlines the steps to be taken in the event of a cyberattack. This plan should include procedures for isolating compromised systems, notifying law enforcement, and restoring services as quickly as possible.
- Collaboration with Government Agencies: Water utilities should work closely with government agencies like CISA to stay informed about the latest cyber threats and share information about attacks. By participating in information-sharing initiatives and collaborating with law enforcement, utilities can strengthen their defenses and respond more effectively to cyberattacks.
A Wake-Up Call for Cybersecurity in Critical Infrastructure
The cybersecurity incident at American Water serves as a stark reminder of the growing threat that cyberattacks pose to critical infrastructure. As hackers become more sophisticated and brazen in their attacks, public utilities and other essential services must prioritize cybersecurity as a core component of their operations.
The consequences of a successful cyberattack on a water utility are too severe to ignore. From service disruptions to public health risks and environmental damage, the potential fallout from a breach extends far beyond the financial losses typically associated with cybercrime. As the American Water incident demonstrates, safeguarding critical infrastructure is not just a matter of protecting data—it is a matter of protecting the public and ensuring the continuity of essential services.
By adopting a proactive approach to cybersecurity, water utilities can mitigate the risks of cyberattacks and strengthen their resilience against future threats. In doing so, they will not only protect their own operations but also contribute to the overall security and stability of the nation’s critical infrastructure.