Security experts discuss the American Water cyberattack

Image via Unsplash

American Water Works Company, Inc., experienced a cyberattack and was forced to pause customer billing. The organization provides services for more than 14 million individuals across 14 states, including 1,700 communities. While finer details of the attack are not currently available, American Water released a statement that unauthorized activity was discovered on its systems, prompting the shut down.

Tim Erlin, Security Strategist at Wallarm, discusses what may have caused the incident. “Critical infrastructure isn’t immune from the digital transformation that other organizations are undergoing, including the reliance on APIs and applications,” Erlin states. “We saw a real world proof that cybersecurity can impact water safety with the 2021 incident in Oldsmar, Florida, and just last month a water treatment plant in Kansas implemented manual controls because of a cyber incident. There’s no doubt that we’ll learn more as the incident investigation progresses, but the fact that they’d disconnected online systems could point to an API or web application attack. Just as other industries have adopted APIs, critical infrastructure has moved forward in how they connect to customers and other facilities. Water and wastewater treatment facilities are often underfunded when it comes to cybersecurity, but they face the same threats as other organizations. CISA, the federal agency tasked with securing critical infrastructure, has focused on the water and wastewater treatment sector, but these changes take time and budget. Of course, the attack surface continues to shift with new technologies, new ways of connecting and new threats.”

Securing critical infrastructure is essential not just for maintaining organizational integrity, but for ensuring the safety of those who rely on said infrastructure.

Akhil Mittal, Senior Manager of Cybersecurity Strategy and Solutions at Black Duck, comments, “We often overlook how vulnerable our everyday essentials are to digital threats. We’re not just talking about data breaches — this is about the safety of millions of people who rely on clean water every day. A cyber incident like this could disrupt water services, delay safety checks and potentially risk public health. The focus now should be on quick action: containing the attack, getting the system back online and being transparent with the public. As more essential services go digital, cybersecurity needs to be built into the infrastructure from the start, not bolted on later. Instead of just reacting to these threats, we need to focus on preventing them. Protecting these systems is no longer optional now, it’s critical to keep things running smoothly and safely.”

Jordyn Alger is the managing editor for Security magazine. Alger writes for topics such as physical security and cyber security and publishes online news stories about leaders in the security industry. She is also responsible for multimedia content and social media posts. Alger graduated in 2021 with a BA in English – Specialization in Writing from the University of Michigan. Image courtesy of Alger

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.