The “largest regulated water and wastewater utility company” in the United States, American Water, is recovering from a cyber attack that forced it to pause billing services for its 14 million customers. While the company says it’s retained 3rd-party cyber experts to help with the response, a spokesman declined to respond to Cyber Insurance News‘ question about its cyber insurance. The FBI also had not comment.
The attack comes just months after the White House and EPA sent letters in March to all American governors warning of the “urgent need to safeguard water sector critical infrastructure against cyber threats.” Just weeks before, the FBI and CISA (Cybersecurity and Infrastructure Security Agency) updated their recommendations for securing water systems from cyber attack. This flurry of activity was no doubt linked to a December 2023 government alert about advanced persistent cyber threats from Iran’s IRGC (Islamic Revolutionary Guard Corps.) “IRGC-affiliated cyber actors using the persona ‘CyberAv3ngers’ are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare,” said the warning.
Based on the description of its impact, the American Water attack may not have involved PLCs, but rather other systems involved in the utility’s back office systems, but such details have not yet been disclosed.
American Water disclosed its attack in an 8K filing with the SEC on October 7th. It immediately disconnected certain systems to protect data and prevent further damage, said the company. American Water reported the cyberattack did not impact core water and wastewater services. “Providing safe and reliable access to water and wastewater services is our top priority,” the company shared, noting there was no indication water quality or its facilities were impacted.
“Our team is working around the clock to investigate what happened and how far it goes,” a spokesperson said. American Water has brought in third-party cybersecurity experts to assist in the investigation and containment of the incident and is cooperating fully with law enforcement. The company had no comment when Cyber Insurance News asked about the role of cyber insurance in the recovery and investigative efforts. We imagine American Water does have cyber insurance and future SEC filings may reveal more details on the cost of the attack and role of cyber insurers.
This cyber incident comes amid increasing federal focus on the vulnerabilities of critical infrastructure like water utilities. In March 2024, U.S. Environmental Protection Agency (EPA) Administrator Michael Regan and National Security Advisor Jake Sullivan sent a letter to all U.S. Governors, urging state environmental, health, and homeland security leaders to take immediate steps to protect water sector infrastructure from cyberattacks.
“The Biden Administration has built our national security approach on the foundational integration of foreign and domestic policy, which means elevating our focus on cross-cutting challenges like cybersecurity,” asserted National Security Advisory Jake Sullivan in announcing the March letters. when the Biden Administration sent letters to America’s governors on the issue. “We’ve worked across government to implement significant cybersecurity standards in our nation’s critical infrastructure, including in the water sector, as we remain vigilant to the risks and costs of cyber threats.”
We look forward to learning whether the American Water attack involved Irananian or other government actors.
Other News: EPA Urgently Needs a Strategy to Address Cybersecurity of Water Systems – GAO(Opens in a new browser tab).