American Water rinsed in cyber attack, turns off app

Updated American Water, which supplies over 14 million people in the US and numerous military bases, has stopped issuing bills and has taken its MyWater app offline while it investigates a cyber attack on its systems.

On Thursday, the dihydrogen monoxide business, which claims to be the US's largest regulated water provider, spotted unusual activity on its networks and later determined it was the result of a cyber security breach. American Water said it siloed off parts of its network to protect customer data, paused the MyWater billing app, and called in both law enforcement and outside security investigators.

"In an effort to protect our customers' data and to prevent any further harm to our environment, we disconnected or deactivated certain systems. There will be no late charges for customers while these systems are unavailable," a spokesperson told The Register.

"Our dedicated team of professionals are working around the clock to investigate the nature and scope of the incident. As we continue to contain and remediate our environment, we will share updated information as appropriate on www.amwater.com. The company currently believes that none of its water or wastewater facilities or operations have been negatively impacted by this incident."

In an 8-K filing [PDF], the water biz informed regulators that, while the situation is still under investigation, it "does not expect the incident will have a material effect on the company, or its financial condition or results of operations."

• US warns Iranian terrorist crew broke into 'multiple' US water facilities
• Despite cyberattacks, water security standards remain a pipe dream
• America's enemies targeting US critical infrastructure should be 'wake-up call'
• DEF CON Franklin project enlists hackers to harden critical infrastructure

As The Register has reported, the water industry is one of the key parts of the US's critical infrastructure that is under active attack, and also very difficult to lock down. A big part of this is down to the industry's use of old operational technology that isn't patched as often as it should be, and is now under nation-state attack.

Last year the US government warned that an Iranian group calling itself CyberAv3ngers had hacked into multiple water suppliers' networks by exploiting Unitronics programmable logic controllers that were likely using the default passwords they shipped with. The group, backed by Iran's revolutionary guard, has claimed to have broken into multiple water company systems in both the US and Israel.

China too has been active in trying to find weaknesses in US water supply, Congress has been warned, and in March 2023 the Environmental Protection Agency started requiring states to audit the security of water systems – but rescinded the rule after some states and water companies went to court over the issue. This year the EPA also announced the creation of the Water Sector Cybersecurity Task Force to look at ways of hardening up America's suppliers to attack.

While American Water declined to say if the attackers in this latest case had been in touch, water systems are an obvious target for ransomware operators. Once the taps dry up people will get desperate and even the FBI is helping victims negotiate a payoff if lives are at stake from systems going down. ®

Update: American Water says it's recovering from its cyber attack and the business is "methodically and securely reconnecting" the systems it had to take down. "The company's customer portal, MyWater, is now operational, and all standard billing processes are resuming," it told The Reg. "As a reminder to our customers, there will be no late charges during the short period when our customer and billing platform was unavailable." It added that it won't be charging disconnection fees for the offline period and that water quality is unaffected.