Largest U.S. Water Utility Hacked
The biggest water utility in the U.S. has been the victim of a cyberattack (CNBC).
What’s going on: The Camden, New Jersey-based American Water “said in a security statement on its website that it had learned of ‘unauthorized activity in our computer networks and systems’ [on Oct. 3], which it determined ‘to be the result of a cybersecurity incident.’”
- American Water—which “provides drinking water and wastewater services to more than 14 million people”—said Tuesday it had closed its customer service portal and billing function for the time being and will not assess late fees for delayed payments while the system is shuttered.
- The company does not “currently believe” any of its water or wastewater operations have been affected by the breach, though it said it is too soon to know whether customer data was exposed.
Why it’s important: The intrusion into American Water is the latest in a string of cyberattacks on critical infrastructure, and drinking water and wastewater systems nationwide are at risk of attack, an EPA spokesman told CNBC.
- In September it was reported that hackers with ties to the Chinese government had breached several U.S. internet service providers in recent months.
- In January, a “Russian-linked hack in January of a water filtration plant in a small Texas town, Muleshoe, was located near a U.S. Air Force base.”
- And last year saw China-affiliated cyberattacks on “at least one oil and gas pipeline,” a major West Coast port and a Hawaiian water utility (The Washington Post, subscription).
Not hack-proof: Earlier this year, “[t]he rising cybercrime wave targeting key water infrastructure led the Environmental Protection Agency to issue an enforcement alert warning that 70% of water systems it inspected do not fully comply with requirements in the Safe Drinking Water Act.”
The NAM says: “We must defend critical infrastructure systems first and foremost,” said NAM Senior Director of Technology Policy Franck Journoud. “That’s why the NAM recently called on the Department of Homeland Security to focus its proposed regulations implementing the Cyber Incident Reporting for Critical Infrastructure Act on attacks that genuinely disrupt the operation of critical infrastructure, rather than on a broader scope of incidents affecting a broader universe of companies.”