American Water Works, one of the largest water and wastewater utility providers in the United States, announced a cybersecurity breach that prompted the company to pause billing services for its 14 million customers across 14 states. The Camden, New Jersey-based utility became aware of the unauthorized activity on Thursday and took immediate action by shutting down certain systems to prevent further damage.
While the company has assured the public that its facilities and operations were not significantly impacted, it remains cautious about predicting the full extent of the breach. In a regulatory filing, American Water Works stated that protective measures were put in place, including deactivating systems, as investigations into the incident continue.
“In an effort to protect our customers’ data and to prevent any further harm to our environment, we disconnected or deactivated certain systems. There will be no late charges for customers while these systems are unavailable,” an American Water spokesperson said. The company has also notified law enforcement and is working closely with them as it works around the clock to uncover the nature and scope of the attack.
The breach forced the company’s customer portal, MyWater, to remain offline as of Tuesday afternoon, disrupting service operations for the utility giant. The incident sent ripples through the stock market, with shares of American Water Works dropping nearly 4% on Monday. They recovered slightly on Tuesday, but the cybersecurity scare still left investors on edge, a reminder of how fragile critical infrastructure can be in the digital age.
This attack on a water supplier highlights the growing concern among U.S. officials over the security of the nation’s critical infrastructure. As recently reported by The Wall Street Journal, intelligence services have tied a cyberattack targeting U.S. broadband providers to Chinese government operations, raising alarm over foreign threats targeting essential services like water-treatment facilities.
“Attacks on critical infrastructure, such as water and wastewater treatment facilities, are increasing,” says Nick Creath, Senior Global Product Manager for Cybersecurity Services at Rockwell Automation. “Water is a critical resource and can be at risk of breaches causing crippling disruptions, panic, widespread illness, or other impacts.”
Creath emphasizes the complexity of securing water facilities, especially given that approximately half of the U.S. water treatment plants are operated by public entities, while the other half are privately owned. These facilities often run on aging infrastructure, which can be both difficult and costly to upgrade. This outdated technology, combined with a limited pool of cybersecurity resources and expertise, makes these critical systems vulnerable to cyberattacks.
In light of the breach, Creath underscores the need for a united effort between public and private sectors to secure water treatment operations. “Government authorities and private utility companies must work together to secure the connections between IT and OT networks,” he says, referring to the technology that oversees physical operations like water flow and purification processes.
The White House’s 2023 National Cybersecurity Strategy Implementation Plan has called attention to this issue, urging public-private partnerships to bolster defenses against increasingly sophisticated threats. One key aspect of this strategy is ensuring that cybersecurity measures are integrated into both new and legacy infrastructure to protect against future disruptions.
Water treatment facilities, many of which are underfunded when it comes to cybersecurity, need more than just new technology — they need a long-term plan that includes risk assessments, emergency response plans, and nationwide cybersecurity training programs. Creath stresses the importance of collaboration: “Both the government and private sector need to share information about cyber threats so that everyone can learn from each other and take steps to protect their systems.”
The attack on American Water Works is the latest in a series of cyber incidents that should act as a wake-up call for critical infrastructure operators across the country. Even advanced, newer facilities are not immune to such risks. If cybersecurity continues to be underfunded or overlooked, the next breach could have far more severe consequences, from prolonged service disruptions to serious threats to public health and safety.
For now, the full impact of the breach remains unknown, but one thing is clear: the need to secure the digital backbone of America’s critical services has never been more pressing.