Categories
Commentary & Insights

11 recent cyber attacks on the water and wastewater sector

This page summarises some of the most recent cyber attacks on water and wastewater utilities that are in the public record.

The majority of organisations, of any type, prefer not to publicly report their incidents, so the reality is that more attacks are occurring than we hear about.

American Water

Date: October 2024
Country: United States
Consequence: Week-long outage of billing and customer account account systems

American Water experienced a cyber attack that disrupted its MyWater account system for a week, affecting customer access to accounts and bill payments. The attack, discovered on 3 October 2024, led to the shutdown of the company’s call centre and rescheduling of customer appointments. Despite these disruptions, water and wastewater facilities were not impacted. The company, serving 14 million people, paused billing and took measures to protect systems and data. Moody’s Ratings said it viewed the incident as credit negative. No attacker was named. Read more on techcrunch.com and cybersecuritydive.com.

Arkansas City Water Treatment Facility

Date: September 2024
Country: United States
Consequence: Switch over to manual operations

The water treatment facility in Arkansas City, Kansas, experienced a cybersecurity incident on 22 September 2024, leading to a temporary switch to manual operations. Despite the incident, there was no disruption to the water supply or service delivery. Enhanced security measures were implemented, and authorities were involved to resolve the situation.

Read more on bankinfosecurity.com.

Tipton, Indiana

Date: April 2024
Country: United States
Consequence: Minimal disruption. Operations transitioned to manual control during the event.

The Cyber Army of Russia posted a video online showing how hackers allegedly interacted with the systems of the Tipton Wastewater Treatment Plant.

Facility staff noticed irregular activity through standard process monitoring of plant operations, and transitioned systems to manual control whilst the matter was investigated. Read more on WTHR.com.

Texas Cities: Hale Center, Muleshoe, Lockney and Abernathy

Date: January 2024
Country: United States
Consequences: Limited; water tank overflow in one case

Multiple water and wastewater plants in Texas, United States, were hit by cyber attacks in early 2024. Videos posted online by the purported hackers showed them interacting with various supervisory control and data acquisition (SCADA) systems remotely, arbitrarily adjusting settings and controls. In most cases suspicious activity was caught before material damage was caused, with operations switched to manual control whilst steps were taken to resecure systems.

In Muleshoe a water tank was caused to overflow for about 30-45 minutes before the situation was brought under control.

Screen grab from hacker video
Screen grab from hacker video
Screen grab from hacker video
Screen grab from hacker video
Screen grab from hacker video

A common link was determined to be the vendor software used by the communities that keeps their water systems remotely accessible.

Read more:

  • Summary from “Small Towns Meeting” 31 January 2024 – MyPlainview.
  • Attacks were attributed to Russia-linked group 17 April 2024 – Associated Press.

Get notified of new incidents

Enter your email address to receive a notification when new incidents are added to this page

    Veolia North America

    Date: January 2024
    Country: United States
    Consequence: Online bill payment system service degradation, and theft of personally identifiable information

    Veolia took targeted back-end systems and servers offline as a defensive measure. Customers experienced delays using the online bill payment systems as a result of this action. Water or wastewater treatment operations did not appear to have been impacted, according to a statement by the company. Read more here.

    Veolia is an international company specialising in water, waste and energy management systems. The company operates 8,500 water and wastewater facilities around the world, as well as in all 50 US states.

    Southern Water

    Date: January 2024
    Country: United Kingdom
    Consequence: Theft of personally identifiable information and corporate data

    Compromised information and data included copies of identity documents such as passports and driving licenses, HR-related documents, and corporate car-leasing documents exposing personal data. Ransomware gang claimed it stole 750 GB worth of data in total. Read more here.

    Southern Water provides water services to 2.5 million customers, and wastewater services to more than 4.7 million customers across Sussex, Kent, Hampshire and the Isle of Wight. Its asset portfolio includes 205 service reservoirs, 13,929km of water mains, 84 treatment works, 365 wastewater treatment works, 39,808km of sewers and 3,321 pumping stations.

    Private group water scheme in County Mayo

    Date: December 2023
    Country: Ireland
    Consequence: Water outage for 160 households over two days

    An internet-connected controller used to maintain water pressure within the water system was accessed and taken offline by attackers. The devices shipped with default settings that included a simple and publicly published password. It appears the group did not have immediate access to any back-up systems, manual or otherwise. This attack exploited the same equipment and vulnerability that impacted the Municipal Water Authority of Aliquippa in the US. Read more here.

    In Ireland, a private group water scheme is where the entire water supply—including the source, treatment plant and distribution system—is owned by a group of community trustees. The impacted scheme in this case is reported to service approximately 160 households in the Erris area of County Mayo.

    Municipal Water Authority of Aliquippa

    Date: November 2023
    Country: United States
    Consequences: Compromised operational technology, triggering manual override

    An internet-connected controller used to maintain water pressure within the water system was accessed and taken offline by attackers. The devices shipped with default settings that included a simple and publicly published password. The authority had access to a manual backup system that enabled them to continue pumping. This attack exploited the same equipment and vulnerability that impacted the private group water scheme in County Mayo, Ireland. Read more here.

    The Municipal Water Authority of Aliquippa manages a water system serving over 6,600 customers, featuring wells along the Ohio River, a treatment plant, and 9.178 million gallons of water storage across six reservoirs. The distribution network includes 82 miles of water mains, various stations, and 450 hydrants. Additionally, its sewer system serves over 5,300 customers, with a treatment plant, 52 miles of sewer mains, and six pump stations, discharging treated effluent to the Ohio River.

    North Texas Municipal Water District

    Date: November 2023
    Country: United States
    Consequences: Loss of business systems, and suspected breach of data

    Phone services and business systems were impacted from around 12 November, most of which was restored towards the end of the month. A ransomware gang claimed it stole over 33,000 files containing customer data. Core water, wastewater, and solid waste services were not impacted. Read more here.

    The North Texas Municipal Water District provides water, wastewater, and solid waste services to 2 million residents across 10 counties. It operates 7 water treatment plants with a 946 mega gallons per day capacity, 695 miles of transmission pipelines, and 82 wholesale delivery points. It also manages 13 wastewater treatment plants and a solid waste service with 3 transfer stations and a landfill.

    Águas e Energia do Porto

    Date: January 2023
    Country: Portugal
    Consequences: Data exfiltration and customer service constraints

    Hackers stole data from Águas do Porto, and also caused disruption that impacted customer services for several days.

    Passwords for Águas do Porto appear to have been stolen from Divultec, a company that provides IT services to third-parties. Read more here (translated from Portuguese).

    Águas do Porto manages more than 2,000 km of water infrastructure including water mains, sewers, and storm water pipes. Águas do Porto also manages 66 km of streams and 3.4 km of seafront.

    South Staffordshire PLC

    Date: July 2022
    Country: United Kingdom
    Consequences: Theft of personally identifiable information (PII), disruption to corporate network

    In an early statement from the company in August 2022, they confirmed they were experiencing disruption to their corporate IT network. In November they advised that some customer data was impacted.

    The group responsible for the hack published screenshots of various systems they accessed, which included parts of the SCADA system. Samples of the screenshots and analysis are discussed on the SCADAfence website.

    The incident did not affect the safe supply of water to their 1.6 million customers.

    Read more here.

    South Staffordshire PLC manages and controls infrastructure including water treatment facilities, distribution networks, and reservoirs. It provides drinking water and sewage services to households and businesses within the South Staffordshire and Cambridge regions of the United Kingdom.

    Monthly cyber security insights, news and tips direct to your inbox

    More information here. You can unsubscribe at any time. See Privacy Policy for further details.