Features 22.10.2024
AI Autopsy: American Water Cyber Attack
On October 3 2024, American Water, the largest water company in the US, discovered it had been hit by a cyber attack
American Water is the latest big utility company to be hit by a potentially devastating cyber attack. Kate O’Flaherty analyses how well the organisation handled the incident and asks what others can learn from the incident
On October 3 2024, American Water, the largest water company in the US, discovered it had been hit by a cyber attack. The company reacted quickly, shutting down affected systems, including its customer portal, as it worked to fend off the attack.
The incident had the potential to cause significant physical harm: American Water provides drinking water and wastewater services to over 14 million people in the US. But thanks to the utility’s swift response, none of its facilities were negatively impacted, and its water was deemed safe to drink.
As part of the category considered critical national infrastructure (CNI), utility companies such as American Water are being increasingly targeted by nation-state hackers from countries including Russia, Iran and China.
It has led to warnings from US and UK government officials and a spate of regulations to ensure CNI companies firm up their defences.
On the surface, it looks like American Water was well prepared for the possibility of attack. It’s still early days, but what can be learned from the incident so far?
React quickly
When you are hit by a cyber attack, it’s important to react quickly and openly to avoid panic. American Water’s response was pretty much by the book.
In an SEC filing, American Water described how it “immediately activated” its incident response protocols and contacted third-party cybersecurity experts to assist with containment and mitigation and investigate the nature and scope of the attack.
“American Water proactively shut down systems to contain the incident, effectively reducing the attacker’s opportunity to move across their environment.” Crystal Morin
It also notified law enforcement and took steps to protect its data, including disconnecting and deactivating some of its systems.
Just weeks after detecting the incident, it’s impossible to know the full impact. Yet the utility is confident it won’t have a material effect on “the company, its financial condition or the results of operations”.
That’s a good sign. When it comes to CNI organisations such as water suppliers, the stakes are “especially high”, says Sean Arrowsmith, director of industrials at NCC Group. He says that the potential outcome of widespread disruption meant that American Water had to respond “immediately and decisively”.
This could be what stopped attackers from causing further damage. The company responded “promptly” and ensured the incident could be investigated by private and federal entities, says Crystal Morin, cybersecurity strategist at Sysdig. “American Water proactively shut down systems to contain the incident, effectively reducing the attacker’s opportunity to move across their environment.”
Given that the attack was noticed on Thursday and the customer portal was very quickly back online, the damage may have been contained. It appears that American Water was well prepared to deal with such an attack, says Pieter Arntz, senior malware intelligence researcher at Malwarebytes. “They were proactive in taking services offline, even when it interrupted their cash flow. American Water has published transparent information about how it handled the incident and has been able to resume operations quickly.”
American Water appears to have responded “quickly and effectively” to isolate the damage caused by the cyber attack – a “commendable response executed under duress”, says Sean Deuby, principal technologist at Semperis. “The fact the firm is now confident that these systems are secure enough to be reactivated following the investigation so far proves it was the right course of action.”
Incident response – tested!
When disaster strikes, everyone knows how important it is to be prepared. This includes having an incident response plan in place and testing it thoroughly.
It seems American Water handled this aspect well. The firm’s response demonstrates “a well-structured incident response approach”, says Andy Rock, solutions architect at Integrity360. “Upon discovering the threat, the company activated its protocols, isolating affected systems and halting billing operations as a precaution.”
The firm’s transparency in communicating with customers and regulatory bodies “fostered trust and illustrated responsible crisis management”, Rock adds.
“American Water activated its protocols, isolating affected systems and halting billing operations” Andy Rock
Cyber attacks are inevitable, so a plan should be “mandatory”, says Morin.
“From what has been reported, American Water has implemented and executed a very successful incident response process. The firm has done exactly what I often urge organisations to do following an incident: Contain, investigate, share what you can early – and continue to suss out details in the days that follow.”
A breach is often a sign of a security failure or oversight, but timely response actions can make up for this, says Morin. “It seems American Water responded in real-time, and its incident response plan was well-planned and widely understood. The fact that the organisation’s leadership does not believe this incident will be material is just about all you can ask for and evidence of why all companies should have a breach plan in place.”
Know if you are a target
Due to their critical nature, organisations like American Water are prime targets for cyber attackers. Therefore, it is important to stay ahead of the latest threats and know your enemy.
The incident did not come without warning. In September, the American Cyber Defense Agency warned that the water sector is a target for attackers. “With such a massive customer base comprising the general public, cyber attacks in this sector can be incredibly disruptive,” says Arrowsmith.
Attackers only need to get lucky once to cause damage. “Critical infrastructure is always a priority target for nation-state actors and ransomware groups because they have the potential to wreak havoc on a large population,” Morin points out.
Segment your systems
This attack illustrates the importance of segmentation, especially separating operations from other systems such as billing, says Sean Wright, head of application security at Featurespace. “This helps to greatly reduce the potential impact of an incident.”
“The water and wastewater sector should take the attack as a final warning to address basic security hygiene” Crystal Morin
The company deactivated or disconnected systems, including its customer service portal, in response to the attack.
This was a good idea. Hackers don’t always need to access sensitive data directly; they can exploit less secure, connected systems, putting customer information such as banking details at risk, says Arrowsmith. “So even if the portal’s network hadn’t been hacked, attackers could have used other parts of the network to gain access.”
Disconnecting systems is a proactive reaction to a cyber attack and can ensure the safety of sensitive information, he says.
Make cybersecurity a priority
The US Cybersecurity and Infrastructure Security Agency (CISA) recently warned about exploiting operational technology and industrial control systems devices used in the water sector. Given this, boosting cybersecurity—including basics such as authentication—is more important than ever.
Attacks on this sector often target weak authentication methods and poor passwords, which Morin says are “some of the easiest security risks to mitigate”.
“Although there is seemingly no ‘material’ incident here, the water and wastewater sector should take the attack as a final warning to address basic security hygiene and reduce unnecessary risk. There is zero excuse for these poor authentication processes, and these simple measures pay dividends when critical services and revenue are on the line.”
In brief
The outcome is mostly positive. The attack on American Water is a great example of how a quick, thought-out response can prevent potentially catastrophic damage. Knowing you are a target helps, especially if, like American Water, you operate CNI.
The firm had security protocols and could quickly detect the attack, shut down systems, and activate its incident response plans. Given how smoothly it all played out, these were probably already well-practised.
Topics
- AI
- Authentication
- Business Risk
- Car Hacking
- Certification & Accreditation
- Cloud
- CNI
- Compliance
- Cyber attacks
- Cyber insurance
- Cyber Law
- Cyber Resilience
- Cyber Risk
- Data Breaches
- Directors and NEDs
- Diversity
- Ethical Hacking
- Events
- Hiring & Firing
- Human Factor Risk
- Incident Response
- Internet of Things
- Leadership
- Legislation & Regulation
- Mental Health
- Phishing
- Policies
- Privacy
- Public Sector
- Ransomware
- Social Media
- Supply Chain Risk
- Sustainability
- Threat Intelligence
- Training & Awareness
- Venture Capital
- Vulnerability Disclosure
Latest articles
Blogs & Opinions 14.11.2024
Weighing Up Potential Loss and Prevention in the Wake of Crowdstrike and NetworkRail Outages
Conor O’Neill highlights the true cost of a data breach to your company and how businesses can minimise future risks.
Features 12.11.2024
ISC2 Workforce Gap Metric Infuriates Cybersecurity Pros as Jobs Prove Hard to Find
With many skilled cybersecurity professionals scrabbling around for work, it’s no wonder ISC2’s wild workforce gap claim is jarring to many. Assured Intelligence wades through the controversy
Blogs & Opinions 07.11.2024
CISO ‘How to’ Without the Bull: Third-Party Risk Management
These blogs will focus on making a tangible difference in a language the business understands. The points are drawn from experience delivering cybersecurity transformation programmes in multiple industries.