American Water, the most important publicly regulated water and wastewater utility within the US, has disclosed on Monday that it had fallen sufferer to a cyber-attack, affecting sure inside methods.
The New Jersey-based firm, which offers important water and wastewater providers to over 14 million folks throughout 14 states, mentioned it moved shortly to safe its operations after discovering unauthorized exercise inside its networks on October 3.
Methods Secured, Billing Paused
In a regulatory submitting with the US Securities and Alternate Fee (SEC) on Monday, American Water confirmed that the assault had not impacted the operation of its water and wastewater services, which proceed to perform usually.
Nonetheless, the corporate acknowledged that it’s nonetheless assessing the complete scope of the breach.
As a precautionary measure, it has disconnected particular methods and suspended buyer billing till additional discover. Clients have been assured they won’t face late expenses throughout this era.
Ruben Rodriguez, a spokesperson for American Water, instructed TechCrunch the corporate’s focus is on defending buyer information and stopping additional injury.
He confirmed that regulation enforcement has been notified, and inside groups are working across the clock to analyze the character of the breach.
Rodriguez didn’t disclose which methods had been compromised or present particular particulars about the kind of cyber-attack.
Cybersecurity Considerations in US Essential Infrastructure
The incident comes at a time of accelerating concern over cybersecurity vulnerabilities in US vital infrastructure, notably in water and wastewater methods.
Earlier this 12 months, US intelligence companies, together with the Nationwide Safety Company (NSA) and the Cybersecurity and Infrastructure Safety Company (CISA), warned that state-sponsored hackers from China had efficiently breached a number of vital infrastructure sectors, together with water methods. The hackers had been mentioned to be able to sustaining long-term entry to those networks, doubtlessly disrupting operations throughout a disaster.
Learn extra concerning the advisory: CISA Warns Essential Infrastructure Leaders of Volt Hurricane
Lately, there have been a number of high-profile cyber-attacks on water methods within the US, together with an incident in 2021 in Oldsmar, Florida, the place hackers tried to poison the water provide by altering chemical ranges.
Such assaults have raised alarms concerning the potential for cybercriminals and nation-state actors to focus on important public providers.
Underfunded Water Utilities Face Rising Cyber-Threats
The American Water breach has now as soon as once more drawn consideration to the water sector’s broader challenges, which regularly lacks adequate cybersecurity funding.
Tim Erlin, a safety strategist at Wallarm, famous that water utilities are more and more reliant on trendy digital applied sciences, comparable to APIs and internet functions, which may introduce new vulnerabilities.
“Water and wastewater therapy services are sometimes underfunded in the case of cybersecurity, however they face the identical threats as different organizations,” Erlin warned. “CISA […] has centered on the water and wastewater therapy sector, however these adjustments take time and finances.”
Deal with Id Safety and Lengthy-Time period Options
Sean Deuby, a cybersecurity skilled at Semperis, additionally commented on the information, observing that the American Water assault was not fully sudden, given the rising variety of warnings issued by federal companies.
Deuby famous that whereas the corporate’s swift response to isolate its methods was commendable, it displays the broader cybersecurity challenges going through vital infrastructure.
He emphasised that the commonest technique utilized by attackers to achieve entry to such methods is thru identity-based assaults, focusing on weak id administration methods like Lively Listing.
“One frequent thread throughout all these campaigns is using id for preliminary entry, propagation, privilege escalation and persistence,” Deuby added. “Organizations ought to prioritize defending these mission-critical methods which can be at all times focused by risk actors, whether or not they’re nation-state actors or cybercriminals.”
On the time of writing, American Water has not supplied a timeline for when its methods will probably be totally restored, and prospects are suggested to watch the corporate’s web site for updates.
