By REBECCA RUTHERFORD
Los Alamos
For The Los Alamos Daily Post
Utilities such as gas, water and electric are necessities it is easy to take for granted. Loss of service due to natural disasters, such as hurricanes, happen; but what would happen if a utility company suffered a cyber-attack?
Unfortunately, that is just what happened earlier this month to American Water, the largest publicly traded utilities company in America. American Water is a major supplier of water in the US, serving more than 14 million customers across 14 states and 18 military installations. The company employs about 6,500 people over all its facilities.
Fortunately, the attack did not affect water service to customers, but it did bring down the company’s website and customer billing portal. The attack occurred on Oct. 3, when the company detected “unauthorized activity within its computer networks and systems”, which was determined to be the result of a cyber-attack. The attack was reported to the SEC on Oct. 7.
During the attack the company’s website and customer portal were both down, and according to media reports, internal telecom systems likewise appeared to be down. It does not appear that the attack affected any water or waste-water systems. As of Oct. 11, they were able to confirm with their internal security team as well as external consultants that systems were secure, and they were able to reconnect infrastructure.
“American Water takes the cybersecurity of its systems and related data with utmost seriousness and has taken additional steps to strengthen the cybersecurity of its systems,” the company stated in its update to the US Securities and Exchange Commission (SEC).
This attack could have been so much worse. If it had affected their water and wastewater systems, millions of customers could have lost access to water services. This only serves to highlight recent concerns about cybersecurity and America’s critical infrastructure.
As to what kind of attack this was, details are slim. Industry experts seem to be leaning towards it being a ransomware attack, as shutdown of billing and telecom systems only indicates internal corporate backend systems. These systems are separate from those controlling the water and wastewater facilities. There is no word as to whether any customer data was stolen in this attack. As of this time there does not appear to have been any data theft.
Critical infrastructure is a tempting target for foreign based, state-sponsored attackers. Earlier this year, the national cyber agency CISA, as well as international partners, warned it had observed a state-sponsored threat actor establishing and maintaining their presence in the IT systems of US water companies for at least five years.
This is scary because by remaining in networks undetected, the attacker can sit, observe and wait for exactly the right time to make their attack. Pretty much the ultimate nightmare for a cyber incident response team.
Cybersecurity is frequently overlooked or underfunded, and many of our critical infrastructures rely on very old systems. Water treatment and other critical infrastructure facilities are very vulnerable to cyber-attacks, and hopefully this attack will serve as a wakeup call for the industry.
Cyber security meme
Editor’s note: Rebecca Rutherford works in information technology at Los Alamos National Laboratory.