Skip to content
Menu
menu

Illustration by iStock, Security Management

Largest U.S. Water Utility Experiences Cyber Incident

The largest water utility in the United States, American Water Works Company, which serves more than 14 million customers in 14 states, filed a report with the U.S. Securities and Exchange Commission (SEC) on 3 October to notify the agency of a cybersecurity incident affecting the utility’s IT systems.

American Water said it detected unauthorized activity in its computer networks and systems on 3 October. But the company explained that it has not detected any intrusions into systems that affect vital services and no ransomware group or other threat actor has taken responsibility. The utility did take its customer portal and billing system offline.

“In an effort to protect our customers’ data and to prevent any further harm to our environment, we disconnected or deactivated certain systems,” the company said in a FAQ on its website. “We currently believe that none of [American Water] water or wastewater facilities or operations have been negatively impacted by this incident.”

In the SEC filing, American Water said, “Upon learning of this activity, the company immediately activated its incident response protocols, and [engaged] third-party cybersecurity experts to assist with containment and mitigation activities and to investigate the nature and scope of the incident.”

The company also said it notified and is cooperating full with law enforcement.

Concerns about the IT security of the nation’s water utilities is nothing new. The United States depends on a sprawling, decentralized network of more than 50,000 community water systems. The federal government routinely raises the issue of the vulnerability of water utilities, many of which are small, serving less than 10,000 people, and have limited IT budgets and expertise. Most recently in March 2024, the Environmental Protection Agency (EPA) sent a letter to state governors seeking cooperation with the EPA’s efforts to safeguard water utilities from cyberattacks.

But one high-profile incident of an attack on a small water utility in Florida  may not have been a cyberattack at all. Cyberscoop reported on the incident in Oldsmar, Florida, two years after it occurred, finding that “There’s still little evidence pointing to exactly what happened inside the plant… new details suggest that the incident may not have been the work of an outside hacker at all.”

One Security Management article from earlier this year examined the cyber vulnerabilities of utilities—electric utilities in particular, but including water utilities as well—and determined one management approach that can make a difference is converging cybersecurity and physical security departments. Aligning the priorities and practices of the two security teams has many benefits, according to the article, including enhanced threat detection and response, improved compliance and governance, reduced risk of vulnerabilities, and increased efficiency and cost savings.

arrow_upward