Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

American Water’s Security Incident: Ransomware or Something Else?

Forescout Research - Vedere Labs and Don Sears, Senior Cybersecurity Editor | October 14, 2024

Summary

  • American Water recently disclosed a cybersecurity incident
  • Billing systems and customer care operations are impacted
  • The company reported no negative impact or safety concerns
  • While ransomware is possible, the cause is still inconclusive
  • The US water industry has had seven known security incidents in last 18 months
  • Since 2017, the water industry has increased its internet exposure of OT/ICS
  • Recommendations for water utilities:
    • Identify and patch vulnerable network devices
    • Segment the network to prevent lateral movement and infection spread
    • Monitor network traffic for signs of intrusion, lateral movement or payload execution

On October 3rd, New Jersey-based American Water, one of the largest water and wastewater companies in the US disclosed a cybersecurity incident. The company serves 14 million customers across 14 states, including 18 US military installations — making it a critical part of the nation’s infrastructure.

In its 8-K filing, American Water stated that it had informed law enforcement and is working with third-party cybersecurity experts to mitigate and investigate and mitigate the incident. The company has taken precautionary measures by disconnecting certain systems, but confirmed that no water or wastewater operations had been negatively impacted:

“The Company has taken and will continue to take steps to protect its systems and data, including disconnecting or deactivating certain of its systems. The Company currently believes that none of its water or wastewater facilities or operations have been negatively impacted by this incident. Although the Company is currently unable to predict the full impact of this incident, the Company does not expect the incident will have a material effect on the Company, or its financial condition or results of operations.”

In a FAQ on its website, American Water provided further details, revealing that it proactively took down its billing system “MyWater” and is pausing billing during this time. The customer call center also has “limited functionality.” In an October 10 statement, the company announced it is “in the process of methodically and securely reconnecting and reactivating the systems that were taken offline”.

What Caused the American Water Security Incident?

The details are still limited, and American Water has not confirmed the cause or perpetrators. However, there are two primary attack vectors typically seen targeting water utilities:

  1. Ransomware targeting IT systems, seeking financial gain by disrupting operations.
  2. Opportunistic attackers targeting exposed OT devices to disrupt water treatment processes.

Given the description of a paused billing system and unaffected water operations, this could point to a ransomware attack focused on IT infrastructure. However, it is too early to draw conclusions. What’s clear is that water utilities and other critical infrastructure are increasingly targeted by threat actors.

Water Utilities: A Recent History of Cybersecurity and OT Incidents, Globally

The water industry has been under significant cyber threat in recent years. One prominent example was the ransomware attack on South Staffordshire Water in the UK in 2022. The Cl0p group claimed to have control over both IT and OT systems. While they did not disrupt water treatment, the incident highlighted the vulnerability of critical infrastructure.

Since then, ransomware groups, such as Medusa, Blackbyte, Dragonforce, BlackBasta, Akira, Hunters International, Qilin, and Royal have targeted water utilities worldwide. The most recent attack claimed by the Medusa group, on September 12, impacted the Starr-Iva Water & Sewer District in South Carolina.

The US is the most affected country with at least seven incidents targeting companies in the water sector in the past 18 months, with most resulting in data leaks and encrypted systems. A list of TTPs commonly used by ransomware groups in these kinds of attacks is available in our blog: “Detect the Most Common Ransomware TTPs to Prevent Attacks”.

There have also been several hacktivist attacks against exposed OT devices and systems in water utilities. The most infamous have targeted utilities throughout the world using Israeli-made Unitronics PLCs for defacement. Recently, the group known as the Cyber Army of Russia Reborn (CARR) attacked water storage tanks in Texas causing them to overflow.

Understanding Water Utility Networks and Their Vulnerabilities

Water utilities often have a complex mix of IT and OT devices, which a re frequently poorly segmented and exposed to the internet. This creates an ideal environment for threat actors to exploit. According to data from Forescout’s Device Cloud – our expansive data lake from real-world implementations, water companies typically have:

  • 69% traditional IT equipment
  • 31% unmanaged devices
    • 19% IoT/OT devices
    • 12% network equipment

These assets come from 186 different vendors and run 154 different operating system versions and flavors — making patch management challenging.  There are 85 unique vulnerabilities affecting unmanaged devices in these companies, including routers, switches and access points, IP cameras, VoIP phones, and printers. Network equipment has become a popular entry point for initial access by attackers in 2024.

 

Go deeper: Learn all about exposed OT/ICS from Forescout Research – Vedere Labs

Watch Webinar

Segmentation Issues in Water Utilities

One of the main challenges for water utilities is effective network segmentation. Limited cybersecurity budgets and a lack or resources often lead to critical OT devices being connected on the same network as IT systems. For instance, in the 2023 Aliquippa municipal water authority attack, an exposed Unitronics PLC shared a network with “several security cameras.” Similarly, the attack carried out by the CARR used a SCADA system exposed to the internet.

An alarming number of water utility systems remain exposed online. A Shodan search reveals over 1,000 instances of controllers and SCADA servers connected directly to the Internet.

For more info, see:

Walchem controllers, for example, have a default username and password similar to the attacks used against Unitronics controllers — and some models have other vulnerabilities related to authentication. VTscada servers also have several known vulnerabilities.

We have reported a general decrease by 47% in exposed OT devices in the US since 2017. Yet, there still remains some 110,000 exposed OT/ICS systems to the internet. The water sector, however, has expanded its internet exposure in common controllers and SCADA servers.

Beyond these specific devices and systems, it is possible to easily find entirely unauthenticated VNC servers where attackers may connect to tamper with water treatment system controls.

Guidance on Ransomware Prevention

To safeguard against ransomware and other attacks, water utilities should focus on the following prevention and detection strategies:

Initial Access

  • Implement strong email filtering to prevent phishing.
  • Limit Remote Desktop Protocol (RDP) and other remote access services to trusted networks or IP addresses.
  • Use strong passwords and enable multifactor authentication when possible.

Persistence

  • Regularly monitor account activity.
  • Limit account privileges.
  • Implement strong password policies.
  • Limit permissions for scheduling tasks and monitor for suspicious activity.

Discovery

  • Use segmentation to limit access to systems and monitor for suspicious activity.
  • Monitor and restrict access to administrative tools, such as command-line interfaces and remote management tools.
  • Implement strong password policies and multifactor authentication to prevent unauthorized access to accounts.

Lateral Movement

  • Use network segmentation.
  • Enforce access controls to limit the impact of compromised accounts.

Exfiltration

  • Enforce least privilege and file integrity monitoring.
  • Monitor (and potentially block) unusual traffic patterns to known cloud storage providers.

How the Forescout Platform Can Help

The Forescout platform collects telemetry and logs from a wide range of sources, such as security tools, applications, infrastructure, cloud and other enrichment sources. It correlates attack signals to generate high-fidelity threats for analyst investigation and enables automated response actions across the enterprise.

With detection rules covering 196 MITRE ATT&CK techniques, it can identify the early warning signs of a ransomware attack. Techniques such as User Execution (T1204), Valid Accounts (T1078 – commonly used to access External Remote Services) and Phishing (T1566) are covered extensively, allowing for early detection and automated response actions to minimize damage.

Water utilities must remain vigilant and adopt a proactive approach to cybersecurity. With rising incidents targeting critical infrastructure, a robust security posture is not just recommended—it’s essential.

See it for yourself

 

Demo RequestForescout PlatformTop of Page