The largest water utility in the United States, American Water Works Company, has reported a cybersecurity incident affecting its IT systems. The company, which serves over 14 million customers across 14 states, detected unauthorized activity in its computer networks on October 3. In response, it took protective measures, including disconnecting certain systems and temporarily suspending its customer portal and billing system.
According to ASIS International, American Water has not detected any intrusions into systems that affect vital services, and no ransomware group or other threat actor has claimed responsibility for the incident. The company has engaged third-party cybersecurity experts to assist with containment and mitigation activities and to investigate the nature and scope of the incident.
Fortune reports that American Water has notified law enforcement and is fully cooperating with them. The company has assured customers that they will not face late charges while its systems are unavailable.
The incident highlights ongoing concerns about the IT security of the nation's water utilities. The federal government has repeatedly raised the issue of the vulnerability of water utilities, many of which are small, serve less than 10,000 people, and have limited IT budgets and expertise.
American Water is working diligently to remediate and bring the affected systems back online in a safe and secure manner. The company has stated that it believes none of its water or wastewater facilities or operations have been negatively impacted by the incident.