A recent cyberattack on American Water, the largest publicly regulated water and wastewater utility in the U.S., was just the latest in a series of attempts by hackers to infiltrate the nation’s water systems.
Earlier this year, an attack in the Texas Panhandle caused a small town’s water system to overflow, a hack attributed to a Russian hacktivist group. U.S. intelligence agencies have also warned that state-sponsored hackers from China have successfully breached several critical infrastructure sectors, including water utilities.
Cyberattacks on infrastructure are appealing to cybercriminals because they know the targeted organizations are highly motivated to maintain business continuity and prevent disruptions. For entities providing widely used public services, there’s significant pressure to keep operations running smoothly and do whatever is necessary to resolve the attack.
According to CNBC, American Water provides services to over 14 million people across 14 states. After discovering unauthorized activity within its networks on October 3, it managed to maintain water service for all its customers, but shut down its customer service portal, MyWater, and suspended customer billing operations.
The Ransomware Threat
While the company did not share technical details about the hack, the actions taken against American Water may have been the result of a ransomware attack.
“It sounds like there were controls and protections in place to protect the actual water facilities, so the next best way for the hackers to cause disruption would be through any sort of customer-facing portal, including the billing system,” said Suzanne Sando, Senior Analyst of Fraud and Security at Javelin Strategy & Research.
“That makes me immediately think of ransomware,” she said. “The disruption to customers is what motivates an organization to do whatever they can to resolve the issue, especially when it involves critical infrastructure, public health, and essential services.”
Many of these facilities are underprepared to handle sophisticated cyberattacks. Inspections conducted by the EPA since September 2023, primarily focused on violations of the Safe Drinking Water Act, found that 70% of utility systems had critical cyber vulnerabilities, such as authentication systems that can be easily compromised.
“Many of these facilities don’t have the budget or staffing for robust cybersecurity, and that naturally makes them more vulnerable to cyberattacks,” said Sando. “And I have to wonder if there will be related implications with the Supreme Court overturning the Chevron doctrine. If federal government agencies have lost the ability to administer cybersecurity regulations, we may see an increase in attacks on critical infrastructure.”