American Water stops billing for H2O due to 'cybersecurity incident'

Water is still safe to drink, it confirms

by · The Register

American Water, which supplies over 14 million people in the US and numerous military bases, has stopped issuing bills and has taken its MyWater app offline while it investigates a hacking incident.

On Thursday, the dihydrogen monoxide business, which claims to be America's largest regulated water provider, spotted unusual activity on its networks and later determined it was the result of a cybersecurity breach. American Water said it siloed off parts of its network to protect customer data, paused the MyWater billing app, and called in both law enforcement and outside security investigators.

"In an effort to protect our customers’ data and to prevent any further harm to our environment, we disconnected or deactivated certain systems. There will be no late charges for customers while these systems are unavailable," a spokesperson told The Register.

"Our dedicated team of professionals are working around the clock to investigate the nature and scope of the incident. As we continue to contain and remediate our environment, we will share updated information as appropriate on www.amwater.com. The company currently believes that none of its water or wastewater facilities or operations have been negatively impacted by this incident."

In an 8-K filing [PDF], the water biz filed with regulators that, while the situation is still under investigation, it "does not expect the incident will have a material effect on the company, or its financial condition or results of operations."

As The Register has reported, the water industry is one of the key parts of America's critical infrastructure that is under active attack, and also very difficult to lock down. A big part of this is down to the industry's use of old operational technology that isn't patched as often as it should be, and is now under nation-state attack.

Last year the US government warned that an Iranian group calling themselves CyberAv3ngers had hacked into multiple water suppliers' networks by exploiting Unitronics programmable logic controllers that were likely using the default passwords they shipped with. The group, backed by Iran's revolutionary guard, has claimed to have broken into multiple water company systems in both the US and Israel.

China too has been active in trying to find weaknesses in America's water supply, Congress has been warned, and in March 2023 the US Environmental Protection Agency started requiring US states to audit the security of water systems, but rescinded the rule after some states and water companies went to court over the issue. This year the EPA also announced the creation of the Water Sector Cybersecurity Task Force to look at ways of hardening up America's suppliers to attack.

While American Water declined to say if the attackers in this latest case had been in touch, water systems are an obvious target for ransomware operators. Once the taps dry up people will get desperate and even the FBI is now helping victims negotiate a payoff if lives are at stake from systems going down. ®

US warns Iranian terrorist crew broke into 'multiple' US water facilitiesThere's a war on and critical infrastructure operators are still using default passwordsJessica Lyons Hardcastle, 04 Dec 2023Despite cyberattacks, water security standards remain a pipe dreamWhite House floats round two of regulationsJessica Lyons, 07 Sep 2024America's enemies targeting US critical infrastructure should be 'wake-up call'Having China, Russia, and Iran routinely rummaging around is cause for concern, says ex-NSA manJessica Lyons, 09 May 2024DEF CON Franklin project enlists hackers to harden critical infrastructureVoting village reports have been so successful, says Jeff Moss, that the whole of DEF CON will now be includedBrandon Vigliarolo, 12 Aug 2024