American Water shuts down online services after cyberattack

American Water, the largest publicly traded U.S. water and wastewater utility company, was forced to shut down some of its systems after a Thursday cyberattack.

In a filing with the U.S. Securities and Exchange Commission (SEC), American Water said it has already hired third-party cybersecurity experts to help contain and assess the incident's impact. It also reported the breach to law enforcement and is now coordinating their efforts in a joint and ongoing investigation.

"The Company has taken and will continue to take steps to protect its systems and data, including disconnecting or deactivating certain of its systems," the 8-K regulatory filing reads.

As American Water said in a separate statement on its website, the attack also forced it to shut down its online customer portal service, MyWater, and pause billing services.

However, company spokesperson Ruben Rodriguez told BleepingComputer that there "will be no late charges for customers while these systems are unavailable."

"Our dedicated team of professionals are working around the clock to investigate the nature and scope of the incident," Rodriguez added. "The Company currently believes that none of its water or wastewater facilities or operations have been negatively impacted by this incident."

American Water has over 6,500 employees and provides water and wastewater services to over 14 million people in 14 states and on 18 military installations.

This incident follows a similar one that impacted the water treatment facility of Arkansas City, Kansas, which was forced to switch to manual operations after a weekend cyberattack.

These incidents come after a TLP:AMBER advisory warning Russian-linked cyberattacks targeting the water sector, issued by the Water Information Sharing and Analysis Center (WaterISAC), a nonprofit organization that helps protect water utilities from cyber threats.

For instance, Chinese-backed Volt Typhoon hackers infiltrated the networks of drinking water systems in February, while Iranian threat actors breached a Pennsylvania water facility in November 2023.

The U.S. Environmental Protection Agency (EPA) has also recently issued guidance to assist water and wastewater systems (WWSs) owners and operators in evaluating their cybersecurity practices and identifying measures to reduce their attack exposure.