A Bullseye on U.S. Utilities; A Spotlight on Cybersecurity Stocks
The American Water hack stokes the wealth case for two favorites ...
American Water Works Co. Inc. AWK 0.00%↑ — the biggest U.S. H2O utility, and a venture that supplies 14 million customers across 24 states (and 18 military installations) — said it’s recovering from a cyberattack that disabled its customer portal and rendered it unable to bill customers or collect payments.
The New Jersey-based American Water said the attack occurred on Oct. 3. It said the attack was limited to non-operational parts of its business. It said it expects no “material” impact to its business. And it said it won’t penalize customers who — because of the outage — can’t make payments.
But there’s one thing the company didn’t say — one answer it didn’t provide … and it’s the most important of all.
Who did it?
NEW WAR, NEW RULES
Welcome to the New Cold War. This “new-and-improved” Cold War shares some elements with the OG version (1947-1991) that l lived through, worked through and wrote about: Russia and China are once again America’s chief antagonists, and North Korea is again an occasional guest star. But there are new “proxies” this time around — “stateless” ones.
There are new battlefields: In outer space and cyberspace.
And new targets: Like our satellites, our medical providers … and our water systems.
The fact is, I saw this coming: Back in May, I told you that this piece of America’s “critical infrastructure” had a big bullseye on its back. I predicted more water hacks were coming.
And that’s a bummer.
But it’s a reality.
And threats like this bring Wealth Builder opportunities … like the one I’m bringing you today.
WATER, WATER EVERYWHERE — WE ARE AT THE BRINK
American water utilities really put that bullseye on themselves.
Back in May, a U.S. Environmental Protection Agency (EPA) “enforcement alert” spotlighted “urgent cybersecurity threats and vulnerabilities” to community water systems — and said the country needed to take action now to protect America’s drinking water.
The catalyst for this: Fully 70% of the U.S. drinking water systems the EPA inspected over the preceding half a year displayed “alarming” cybersecurity vulnerabilities that violated standards in the U.S. Safe Drinking Water Act.
Some of those vulnerabilities included “default passwords that have not been updated and single logins that can easily be compromised."
When you’re sloppy like that you’re basically painting the bullseye on yourself.
Cyberattacks against U.S. water utilities are on the rise — both in number and severity. China, Iran and Russia are building capabilities to attack and disable critical American infrastructure — including drinking water and wastewater.
This is bigger than it sounds. Before, hackers just messed with the utilities’ websites. But now they’re going after their physical operations — including the software that manages water filtering processes. The fallout from such hacks could include interrupted water flows, disrupted water treatment, disabling water storage, actual damage to crucial valves and pumps, or shifting chemical ratios enough to create health hazards, the EPA explained.
Some examples:
Early this year, a Russian-linked “hacktivist” went after the water systems in several Texas Panhandle towns; one system overflowed and another was forced to “unplug” and operate manually after turning aside 37,000 firewall attacks in just four days. The hacked water filtration plant in the tiny Texas town of Muleshoe sits near a U.S. Air Force base. The attacks were reported to the Feds.
Last year, the Iran-linked “Cyber Av3ngers” went after the Municipal Water Authority of Aliquippa — motivated by the Israel/Hamas war to target an Israel-made piece of equipment the utility was using.
A China-linked group known as “Volt Typhoon” is going after critical infrastructure — perhaps to plant malware that can cause major future disruptions should the U.S. and China square off. Some of the targets are in Guam, where the U.S. has a crucial military presence.
Way back in February, FBI Director Chris Wray told Congress that China’s hackers are preparing to “wreak havoc and cause real-world harm to American citizens and communities” by targeting our critical infrastructure — the electrical grid, water-treatment plants, and transportation systems that are crucial pieces of America’s supply chain.
That includes U.S. ports, which were in the news in recent weeks because of labor strife, but remain super vulnerable. In 2023, for instance, the Port of Los Angeles stopped 750 million hacking attempts — thanks to a Cyber Security Operations Center (CSOC) it set up back in 2014.
The new technologies like artificial intelligence (AI), new battlefields like cyberspace and new nation-state realities of the New Cold War have made it very different than its predecessor, cybersecurity expert Dawn Cappelli told NBC News earlier this year.
“By working behind the scenes with these hacktivist groups, now these (nation-states) have plausible deniability and they can let these groups carry out destructive attacks,” said Cappelli, head of the OT CERT (Cyber Emergency Response Team) at Dragos Inc. “And that, to me, is a game-changer.”
Protecting America is clearly a major subplot to the New Cold War — which we’ve detailed for you this year in reports like:
At the very start of Stock Picker’s Corner (SPC), when we detailed the New Cold War storyline – including the new threats and long-term escalation in global defense spending it will trigger.
In July, when I talked about the CDK hack to SPC Premium members– which crippled U.S. auto dealerships and their service departments.
And in August, when I told you about the China Threat, U.S. “Black Budgets” and the “Hypersonic Arms Race.”
One unifying thread that ties these all together: Advanced technology, which enables and supercharges those new threats.
The recent hacks on UnitedHealth Group and casino operators MGM Resorts MGM 0.00%↑ and Caesars Entertainment Inc. CZR 0.00%↑ have reminded folks how generative AI is boosting the ransomware threat. (Some experts speculate that the American Water Works hack was a ransomware incident.)
A number of companies are positioned to help blunt these threats and capitalize at the same time. Including this one that I’ll talk about now.
THE TECHNOLOGY TO LOOK FOR
Cybersecurity stocks are tricky animals. Technology changes. Needed investments lag. Opponents are tough to track. And I’m predicting a wave of consolidation for the sector – a surge of dealmaking that will start at any time.
But it’s also a huge opportunity.
These high-profile hacks, worries about the AI threat — and new U.S Securities and Exchange Commission (SEC) and Department of Homeland Security rules prompting faster-and-more-detailed disclosures of corporate hacks — should speed up cybersecurity investments.
And there are a couple of things you can do to put the odds in your favor for finding the best investments.
One key tip: Look at cybersecurity firms whose wares are “cloud-based.” That’s a competitive advantage; those firms have the best shot at building market-share gains.
As I always try to do for you, I’m keeping this simple. One category of cloud-based security technology is “Cloud Native Application Protection Platform,” or CNAPP.
Researcher IDC says the global cybersecurity market will grow at a double-digit pace between now and 2028 when it’ll hit $200 billion. And the CNAPP market — which grew 31.5% from 2022 to 2023 — will be the fastest grower during that stretch, IDC says.
According to Bank of America Corp. BAC 0.00%↑, the CNAPP market will grow from $7.2 billion in 2023 to $16.3 billion in 2027 — a compound annual growth rate of 24% over that five-year stretch.
One company to look at: Zscaler Inc. ZS 0.00%↑, a San Jose-based company that’s the top provider of “cloud-based web-security gateways” — a kind of digital checkpoint that queues up customer traffic for malware inspections.
Zscaler’s shares are currently trading at about $193. Analysts have a target price of $219 — with a high estimate of $400.
Earnings are forecast to grow at an average annual rate of 18.14% over the next five years. If the share price followed, it would double (to $386) in about four.
A cash-flow analysis run by analysts at Simply Wall Street concluded the stock is trading at a 36% discount to fair value. That implies a value of about $301.56 — or 56% above where the stock is currently trading. (Here’s the calculation I ran.)
A STRATEGIC VIEW
There are near-term risks: Fiscal fourth-quarter revenue growth came in at 30% — down from the 40% growth rates of prior years. And here in the near-term, the stock’s valuation remains high.
Longer-term, however, there are things to like.
Zscaler continues to invest in AI, cloud and data-analytics technologies — both internally through R&D and externally, with bolt-on acquisitions like Airgap and Avalor. CEO Jay Chaudhry conceded these could slow near-term profitability, but those investments could reignite growth going forward.
It's also secured a beachhead in the government sector. It landed another “cabinet-level agency” in the fourth quarter — and now has 13 of the 15 in the United States. Public sector business is good: It’s slower — but stable. And that strong connection with Washington will give governments overseas the confidence to go with Zscaler technology.
Another confidence booster is the company’s tightened relationship with CrowdStrike Holdings CRWD 0.00%↑, another “platform AI” cybersecurity company that’s one of the sector innovators.
Zscaler’s CNAPP tech “differentiates it from competitors, [letting] it offer a more agile and scalable solution,” Zacks Investment Research said in a recent report. “The company is seeing strong momentum in its AI-driven analytic products … generative AI is another growth avenue for Zscaler, with its security solutions gaining traction in helping companies secure their AI deployments.”
Do the research. If it fits your plan, consider an “Accumulate” strategy — letting you “wade” into the stock on pullbacks. And in addition for SPC Premium members, we have a “gunslinger” in the space you can check out in this full dossier.
As for those water utilities, cybersecurity compliance has — until now — been largely voluntary. Too many companies have painted those bullseyes on themselves. And that’s been a bummer.
Here in the New Cold War, it’s time to get serious. There’s a new urgency. And we’re finding the companies that can help us stay safe (and keep us from being thirsty).
See you next time;
