American Water cyber attack prompts US utilities security warning

American Water cyber-attack: a wake-up call for the utility industry?

A cyber-attack on American Water, a US utility, has prompted calls from the cybersecurity industry for water companies to urgently review their outdated cybersecurity protection.

American Water, the biggest regulated water utility in the US, has admitted this week that it was the victim of a cyber-attack, forcing the company to pause customer billing.

The New Jersey-based company — which provides services to more than 14 million people in 14 states and on 18 military installations — said it became aware of the unauthorised activity on 3 October but believes that none of its water or wastewater facilities or operations have been negatively impacted.

In a statement to the United States Securities and Exchange Commission (SEC), American Water said it “learned of unauthorised activity within its computer networks and systems, which the Company determined to be the result of a cybersecurity incident.”

American Water manages over 500 water and wastewater systems in about 1,700 communities from California to Virginia and Hawaii to Iowa.

It said that, upon learning of the attack, it immediately took protective steps, including shutting down relevant systems, adding that its staffers are working “around the clock” to investigate the nature and the scope of the attack.

“As a result, the Company immediately activated its incident response protocols and third-party cybersecurity experts to assist with containment and mitigation activities and investigate the nature and scope of the incident.

“Although the Company is currently unable to predict the full impact of this incident, the Company does not expect the incident will have a material effect on the Company, or its financial condition or results of operations.”

AWS to become a water-positive entity by 2030

Why water utilities are prime targets for cyber attacks

In response to the incident, James Neilson, SVP International at cybersecurity outfit OPSWAT, said the American Water cyber-attack: “follows recent warnings from the US’s Cybersecurity and Infrastructure Security Agency about ongoing threats to water systems, particularly the exploitation of critical security control systems.

“The water sector remains vulnerable due to outdated systems, interconnected networks, limited resources, and weak regulations,” he said.

He added that the industry’s reliance on digital systems exposes critical infrastructure, making it a prime target: “Water supply is a critical infrastructure for our society, so it is a tantalising target for those looking to disrupt the day-to-day life of citizens.

“It’s crucial that companies have practised and honed their incident response plans so they can react swiftly and effectively in the event of a cyber-attack, minimising potential damage,” said Neilson.

Wallarm security expert Tim Erlin, speaking to the website Industrial Cyber, said that water and waste treatment facilities were particularly vulnerable to cyber-attacks because they are often underfunded on cybersecurity but face the same risks as other critical infrastructure businesses.

“There’s no doubt that we’ll learn more as the incident investigation progresses, but the fact that they’d disconnected online systems could point to an API or web application attack,” said Erlin.

Dr Marc Manzano, general manager for cybersecurity at SandboxAQ, added: “With growing threats from cybercriminals and nation-state actors, the importance of securing these systems has never been clearer. It’s not just about protecting data — it’s about maintaining public safety and ensuring the resilience of services we rely on.”

The attack comes just days after a report was released revealing that political motivations were driving the increase in cyber attacks on critical infrastructure.