The largest publicly traded water utility in the U.S., American Water, was hit by a cyberattack on October 3, which caused the company to disconnect certain online systems. As of Tuesday morning, October 8, both its website and telecommunications systems were still offline, highlighting the severe impact of the attack.
Company Responds to Cybersecurity Breach
Serving over 14 million customers across 14 states and 18 military installations, American Water plays a crucial role in supplying water across the country. In an official report filed with the U.S. Securities and Exchange Commission (SEC), the company revealed it had discovered unauthorized activity within its computer networks, which led to the decision to deactivate some systems to protect sensitive data and infrastructure.
To address the breach, American Water activated its incident response protocols, engaging third-party cybersecurity experts to assist in containment and mitigation efforts. Despite the disruptions to online and customer-facing services, such as its MyWater portal, there have been no reported issues at the company’s water and wastewater facilities.
Online and Telecom Systems Disrupted
The company’s main website and MyWater portal currently display “403 Forbidden” errors, making them inaccessible to customers. Additionally, American Water’s telecommunications system remains down, with employees unable to connect media inquiries or leave messages for the company’s media relations team.
Though the operational impact on water services is unclear at this point, the company has warned it may be too early to predict the full scope of the incident. Law enforcement authorities have launched an investigation alongside the company to determine the cause and extent of the cyberattack.
Critical Infrastructure Under Growing Cyber Threat
This incident underscores the increasing vulnerability of critical infrastructure, including utilities like water and energy providers, to cyberattacks. Attacks on such systems have the potential to not only disrupt services but also risk public safety. The 2021 Colonial Pipeline ransomware attack, which led to fuel shortages across the East Coast, remains a stark reminder of the broad-scale impact of these incidents. Likewise, a February 2021 cyberattack on a water-treatment facility in Florida nearly resulted in a catastrophic poisoning of the water supply before an employee intervened.
Akhil Mittal, senior manager of cybersecurity strategy at Black Duck, commented, “We often overlook how vulnerable our everyday essentials are to digital threats. This isn’t just about data breaches — millions of people rely on clean water daily, and incidents like this can disrupt services and delay safety checks, endangering public health.”
Efforts to Regulate Cybersecurity in Utilities Stall
U.S. federal authorities have long been concerned about the lack of mandatory cybersecurity measures in water utilities. The Environmental Protection Agency (EPA) reported that nearly 70% of the country’s community drinking water systems do not comply with the Safe Drinking Water Act. In May, the EPA had planned to strengthen enforcement of cybersecurity requirements for utilities but was forced to roll back these efforts following legal challenges from industry groups and lawmakers.
In response, agencies like the Cybersecurity and Infrastructure Security Agency (CISA) have published guides to improve cybersecurity in the water sector. However, with the regulatory push stalled, the protection of these critical systems becomes increasingly urgent. Mittal added, “Safeguarding utilities is no longer optional. Protecting these systems is critical to maintaining smooth and safe operations.”
Looking Ahead for American Water
Although the attack has taken its toll on American Water’s connected systems, the company’s focus is now on containing the incident, restoring its services, and maintaining transparency with customers. As investigations continue, the company is expected to provide updates on the recovery process and any potential impacts on operations.
