CAMDEN, N.J. — A cyberattack continues to hit the largest regulated water and wastewater utility in the United States, refocusing attention on the importance of protecting critical infrastructure locations.
New Jersey-based American Water has stopped billing customers announced the cyber attack on Monday. It said it became aware of the unauthorized activity on Thursday and immediately took protective measures, including shutting down certain systems. Water services were unaffected as protections remained in place Wednesday.
The company – that delivers drinking water and sewerage services to more than 14 million people in 14 states and at 18 military installations — said it does not believe its facilities or operations were affected by the attack, although staffers were working “around the clock” to investigate its nature and extent.
The attack on American Water appears to be more of an “IT-focused attack” than an operational attack, said Jack Danahy, vice president of strategy and innovation at NuHarbor Security in Colchester, Vt. in Vermont.
“People have traditionally not considered parts of infrastructure, such as water and wastewater supplies, to be vulnerable to threats, but incidents like this show how quickly problems can arise,” Danahy said. “As billing and other services have become more accessible to customers in recent years, they are now exposed to more types of risks and concerns that were not there before.”
The US Cybersecurity and Infrastructure Security Agency and the Environmental Protection Agency urged water systems to take immediate action this year to protect the country’s drinking water. About 70% of utilities inspected by federal officials have recently violated standards designed to prevent breaches or other violations, the EPA said.