American Water cyberattack renews focus on protecting critical infrastructure

Your support helps us to tell the story

Support Now

Find out moreClose

Our mission is to deliver unbiased, fact-based reporting that holds power to account and exposes the truth.

Whether $5 or $50, every contribution counts.

Support us to deliver journalism without an agenda.

Louise Thomas

Editor

A cyberattack continues to affect the largest regulated water and wastewater utility company in the United States, renewing a focus on the importance of protecting critical infrastructure sites.

New Jersey-based American Water paused billing to customers as it announced the cyberattack on Monday. It said it became aware of the unauthorized activity on Thursday and immediately took protective steps, including shutting down certain systems. Water services have been unaffected as protections remained in place Wednesday.

The company — which provides drinking water and sewer services to more than 14 million people in 14 states and on 18 military installations — said it does not believe its facilities or operations were impacted by the attack, although staffers were working “around the clock” to investigate its nature and scope.

The attack against American Water appears to be an “IT focused attack” more than an operational one, according to Jack Danahy, vice president of strategy and innovation at Colchester, Vt.-based NuHarbor Security in Vermont.

“People haven’t traditionally thought of pieces of infrastructure, such as water and wastewater service as being prone to threats, but incidents like this shows how quickly problems could occur,” Danahy said. “As billing and other services have become more accessible to customers in recent years, they're now exposed to more types of risks and concerns that were not previously there.”

The U.S. Cybersecurity and Infrastructure Security Agency and the Environmental Protection Agency urged water systems to take immediate actions this year to protect the nation’s drinking water. About 70% of utilities inspected by federal officials recently violated standards meant to prevent breaches or other intrusions, the EPA said.