On October 3, 2024, American Water Works — the largest publicly traded U.S. water and wastewater utility, serving approximately 14 million people across 24 states and 18 military installations — detected unauthorised activity on its enterprise network. Within hours the company shut down its MyWater online customer portal, paused billing operations, and disconnected several internal systems from the internet. On October 7 it filed an SEC Form 8-K naming the event a "cybersecurity incident" but offering no attribution. Crucially, American Water said no water-treatment or wastewater facilities were affected and water quality was never at risk. That distinction — IT compromise without OT impact — is exactly the story regulators have been watching for, because the boundary between corporate IT and operational technology in U.S. water utilities is far thinner than the press release suggested.
What did American Water disclose and what did it not?
The October 7 8-K confirmed: unauthorised activity in IT systems, customer portal taken offline, billing operations paused, no impact to water or wastewater facilities, no confirmed data exfiltration at the time of filing. What it did not confirm: whether ransomware was deployed, whether the actor was financially motivated or nation-state, whether SCADA networks shared trust anchors with corporate AD, and whether customer data including bank-debit information had been accessed. American Water disclosed on October 17 it was restoring the MyWater portal but did not extend an updated impact assessment. As of January 2026, no ransomware group has publicly claimed the incident on a leak site, which suggests either ongoing negotiation, a wiper without monetisation, or — most likely given the disclosure language — a financially motivated intrusion stopped before data could be exfiltrated.
Why the OT/IT distinction matters here
American Water's SCADA, distribution-control, and plant-automation networks are nominally air-gapped from its enterprise IT environment, per the company's 2023 10-K cybersecurity disclosure. But the Aliquippa, Pennsylvania water authority intrusion in November 2023 (CyberAv3ngers exploited an exposed Unitronics Vision PLC with the default password 1111) and the January 2024 Muleshoe, Texas water-tower overflow (linked to Cyber Army of Russia Reborn / Sandworm) showed that "air-gapped" in the water sector often means "addressable but not browsable." CISA Director Jen Easterly's testimony to the House Homeland Security Committee on November 14, 2023 highlighted that the U.S. has approximately 152,000 public water systems, the vast majority with two or fewer IT staff, and most run flat networks where a billing-system compromise can pivot to a historian database to a plant DCS in a single afternoon.
Why was the customer portal shut down so aggressively?
Defensive blast-radius limitation. The MyWater portal — built on a customer-engagement platform with API connections to billing, meter-reading, and account-management back ends — is the highest-value pivot inside American Water's IT estate. Taking it offline cuts the most likely path from any compromised corporate workstation into back-office systems that share trust anchors with the SCADA-facing historian. The pause in billing operations confirms the intrusion reached or threatened the financial-system side. The company's internal incident playbook reportedly called for a 24-hour automated shutdown decision; sources to Reuters on October 8 said the call was made within four hours of detection.
What's the regulatory context for water-utility cyber?
EPA had tried in March 2023 to use Safe Drinking Water Act authority to require cybersecurity assessments as part of state sanitary surveys; AWWA, the National Rural Water Association, and three state attorneys general sued and won a stay in July 2023, and EPA withdrew the requirement in October 2023. Since then, water-sector cybersecurity has been governed by voluntary frameworks (AWIA Section 2013, the WaterISAC Top 12, and CISA's optional Water and Wastewater Sector CPGs). The American Water incident lands in the middle of an active rulemaking by EPA in coordination with CISA to revive mandatory cyber baselines, with a draft NPRM expected in Q2 2025. The company's status as a publicly traded entity meant SEC Item 1.05 disclosure was effectively mandatory; the rest of the sector's 152,000 systems have no such trigger.
What attribution clues exist?
Industrial Cyber on October 9 noted that nation-state actors were among the potential sources mentioned by U.S. officials, but no public attribution has followed. Volt Typhoon — the PRC pre-positioning cluster CISA flagged in February 2024 advisory AA24-038A — explicitly targets water and wastewater systems for living-off-the-land persistence, and the FBI's January 2024 testimony before the House Select Committee on the CCP described "Volt Typhoon's prepositioning on our networks." That said, the absence of long-dwell persistence indicators in American Water's public statements — they detected on October 3 and shut down the same day — fits a financially motivated profile better. A Volt Typhoon-class actor would not be detected by anomalous user behaviour in the portal application.
# Minimum water-utility IT-OT boundary baseline (CISA Water/Wastewater CPGs)
# Block-list rules at the corporate-IT firewall facing SCADA DMZ
iptables -A FWD-IT-OT -p tcp --dport 102 -j DROP # S7 Siemens
iptables -A FWD-IT-OT -p tcp --dport 502 -j DROP # Modbus TCP
iptables -A FWD-IT-OT -p tcp --dport 20000 -j DROP # DNP3
iptables -A FWD-IT-OT -p tcp --dport 44818 -j DROP # EtherNet/IP
iptables -A FWD-IT-OT -p tcp --dport 47808 -j DROP # BACnet
# Allow only one-way historian replication via jump host
iptables -A FWD-IT-OT -s 10.50.10.10 -d 10.40.0.0/16 -p tcp --dport 1433 -j ACCEPT
iptables -A FWD-IT-OT -j DROP
What should water and wastewater utilities do this year?
Six steps. First, harden the IT-OT boundary with explicit deny-all and exceptions monitored by both IT and operations staff. Second, default-deny any tool that requires inbound access to historian or HMI VLANs from the corporate IT network. Third, follow the CISA WW CPG enhanced goal CPG 2.A: enforce strong MFA on all internet-facing systems and on every administrative interface to OT systems. Fourth, build an IT-side asset inventory that catalogues every internet-reachable asset; the Unitronics Vision PLCs at Aliquippa were not on anyone's inventory. Fifth, pre-stage a manual-operations runbook for billing, customer service, and water-quality reporting that can run for 14 days. Sixth, run a tabletop simulating exactly the American Water sequence: portal compromise, billing system isolation, regulatory-disclosure timing, customer communications during a 48-hour outage.
How Safeguard Helps
Safeguard maps every IT, OT, and SaaS supplier that touches a water or wastewater utility's enterprise estate and continuously evaluates each against CISA's Water and Wastewater Sector Cybersecurity Performance Goals, AWWA's J100-21 risk-management framework, and the latest Volt Typhoon, Cyber Army of Russia Reborn, and RansomHub advisories. Griffin AI's reachability engine prioritises CVEs that can pivot from corporate IT into SCADA-adjacent historians via shared Active Directory trust anchors. TPRM scoring tracks each utility-software vendor — meter reading, GIS, hydraulic modelling, customer engagement, OT historian — against incident-disclosure SLAs and the CISA Secure by Design pledge, downgrading vendors that miss patching commitments. Policy gates block any new utility-software release that embeds CISA KEV-listed components, and ingest VEX statements so incident responders see a clean, prioritised view during the next portal-side breach.