Cybersecurity Risk Management and Strategy Disclosure	12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]	Cyberattacks represent a threat to water, wastewater and electric utility systems. There have also been increasing threats to the information that companies maintain that have resulted in unauthorized disclosure of private customer, employee, director and corporate financial information. Threats can come from many sources, including, but not limited to, ransomware, malicious software, credential loss or theft, supervisory control and data acquisition system takeover, equipment theft, supply chain attacks, phishing attacks, identity-based attacks, denial-of-service attacks or the actions of employees either intentional or accidental. Ransomware whereby hackers take control of a company’s systems and/or data has been identified as the most significant threat to Registrant’s critical infrastructure systems and is getting harder to detect and encrypted files are becoming harder to recover. Threat actors using ransomware have also increased their use of data, not only for direct ransom and data destruction, but also to release the data to the public. Registrant believes a breach of customer personally identifiable information is one of the most significant financial risks to it as the costs incurred could exceed the amount of its cybersecurity insurance coverage. Nevertheless, in order to continue meeting Registrant’s technological business needs and as more vendors build solutions in the cloud, Registrant expects to further expand its use of cloud-computing environments. As such, Registrant expects risks from cyberattacks and data breaches to increase due to the growth of its technological footprint in the cloud environments. As cyberattacks have become more frequent and sophisticated, including against third-party technology providers, Registrant expects to continue to increase its investment in information and operational technology to monitor and address cyber threats and attempted cyberattacks, and to improve its posture in addressing security vulnerabilities. Registrant has implemented robust cybersecurity systems and controls to prevent any unauthorized access to information. Its platform was designed to be consistent with industry best practices such as the U.S. National Institute of Standards and Technology (“NIST”) cybersecurity frameworks. In addition, Registrant has dedicated employees with cybersecurity technical expertise and also leverages outside cybersecurity firms. Registrant has adopted multi-layered safeguards and educational measures to protect its operations, assets and digital information. Registrant conducts mandatory quarterly cybersecurity training for all employees. Registrant also conducts specialized training for ASUS employees annually on protecting certain types of information relating to the work ASUS and its subsidiaries do with the U.S. government to comply with U.S. government contracting requirements. In addition, Registrant conducts periodic and unannounced phishing tests with all employees and vulnerability assessment and penetration tests. Registrant has adopted a cybersecurity incident response policy, plan and set of specific instructions, which are annually reviewed by the IT cybersecurity team members. Registrant is also taking actions intended to strengthen its cybersecurity posture and to improve its cybersecurity incident response plans and operating procedures. Despite the actions Registrant has taken and is taking and the fact that, to its knowledge, it has yet to experience a cybersecurity incident, there can be no assurance that Registrant will not experience a cybersecurity incident. Risk management, oversight and response Cyber risk management is an ongoing iterative process that requires continuous identification, assessment and management of possible cyber threats and has become a vital part of Registrant’s overall risk management efforts. Registrant’s cybersecurity team assesses ongoing cybersecurity threats and vulnerabilities to prioritize and implement mitigation factors and defense to help contain and combat identified risks. To keep threat and vulnerability information up-to-date, the cybersecurity team subscribes to multiple national and state-level threat and vulnerability information disclosure services, both general-purpose and industry-specific in nature. Updates from these sources include general information delivered on a daily basis and more threat-specific information delivered as required. Tools are in place within Registrant’s environment to monitor for anomalous behavior and provide rapid alerting for emerging threats and, in some cases, automated responses to threats. Registrant’s cybersecurity team meets regularly with product vendors for these tools to ensure optimal configurations are in place to protect its environment. To determine the risk to Registrant’s systems, it engages in a continuous vulnerability management lifecycle process to identify and remediate vulnerable systems and system configurations. In this regard, Registrant leverages the NIST cybersecurity frameworks. To supplement Registrant’s internal process, the cybersecurity team regularly contracts consultants to assess system configurations, both passively through exercises such as configuration review and actively through penetration testing, and response procedures, such as tabletop exercises, to identify areas for improvement. In addition, Registrant supplements its day-to-day operations with around the clock identification, assessment and mitigation of cyber risks with third-party security services as well. Registrant is working on implementing across AWR and its subsidiaries a comprehensive, risk-based approach to identify and oversee cybersecurity risks presented by third parties, including vendors, service providers and other external users of its systems and data, as well as the systems of third parties that could adversely impact Registrant’s business in the event of a cybersecurity incident affecting those third-party systems.
Cybersecurity Risk Management Processes Integrated [Flag]	true
Cybersecurity Risk Management Processes Integrated [Text Block]	Registrant has implemented robust cybersecurity systems and controls to prevent any unauthorized access to information. Its platform was designed to be consistent with industry best practices such as the U.S. National Institute of Standards and Technology (“NIST”) cybersecurity frameworks. In addition, Registrant has dedicated employees with cybersecurity technical expertise and also leverages outside cybersecurity firms. Registrant has adopted multi-layered safeguards and educational measures to protect its operations, assets and digital information. Registrant conducts mandatory quarterly cybersecurity training for all employees. Registrant also conducts specialized training for ASUS employees annually on protecting certain types of information relating to the work ASUS and its subsidiaries do with the U.S. government to comply with U.S. government contracting requirements. In addition, Registrant conducts periodic and unannounced phishing tests with all employees and vulnerability assessment and penetration tests. Registrant has adopted a cybersecurity incident response policy, plan and set of specific instructions, which are annually reviewed by the IT cybersecurity team members. Registrant is also taking actions intended to strengthen its cybersecurity posture and to improve its cybersecurity incident response plans and operating procedures. Despite the actions Registrant has taken and is taking and the fact that, to its knowledge, it has yet to experience a cybersecurity incident, there can be no assurance that Registrant will not experience a cybersecurity incident.
Cybersecurity Risk Management Third Party Engaged [Flag]	true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]	true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]	false
Cybersecurity Risk Board of Directors Oversight [Text Block]	Registrant’s Board of Directors (the “Board”) oversees enterprise risk management, or ERM, performed under the direction of Registrant’s senior management team. Cybersecurity updates, including recent findings, changes to processes or personnel changes, are provided to the ERM liaison to the Board, who is a member of the Board, and to the full Board on a quarterly basis or more frequently if needed. Cybersecurity is one component of an overall ERM framework that involves Registrant’s Board. The Board satisfies its oversight responsibility by obtaining information from the ERM liaison and senior management of Registrant, with input from the senior management of Registrant’s subsidiaries as necessary.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]	Cybersecurity updates, including recent findings, changes to processes or personnel changes, are provided to the ERM liaison to the Board, who is a member of the Board, and to the full Board on a quarterly basis or more frequently if needed. Cybersecurity is one component of an overall ERM framework that involves Registrant’s Board.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]	On a quarterly basis, Registrant’s senior management will discuss plans to mitigate cybersecurity risks with the ERM liaison. The ERM liaison and Registrant’s senior management will then provide a report to the full Board regarding the critical cybersecurity risks discussed, mitigation plans and implementation of the ERM program that addresses cybersecurity risks.
Cybersecurity Risk Role of Management [Text Block]	In addition, Registrant’s plans require members of its senior management, such as its CEO and CFO, as well as members of management from its, and its subsidiaries’, Operations, Information Technology, Human Capital Management, Accounting and Legal teams to participate in Registrant’s Cybersecurity Incident Response Team (“CIRT”) and to be kept current on all aspects related to a cyberattack, if a cybersecurity incident were to occur. Responses to cyberattacks are fast-moving and dynamic and would require an assessment of actual or potential damage performed by Registrant’s cybersecurity team. If a cyberattack were to occur, continuous engagement, communication and collaboration between Registrant’s cybersecurity team and members of its CIRT as well as third parties would likely be necessary in order to gather accurate and complete information, perform a comprehensive evaluation and assessment of the cyberattack, manage and contain the cybersecurity threat, and develop and execute a remediation and recovery plan. Members of its CIRT team would work together to determine whether a cybersecurity breach is material and required to be reported to the Board and publicly under applicable law and regulation.
Cybersecurity Risk Management Positions or Committees Responsible [Flag]	true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]	In addition, Registrant’s plans require members of its senior management, such as its CEO and CFO, as well as members of management from its, and its subsidiaries’, Operations, Information Technology, Human Capital Management, Accounting and Legal teams to participate in Registrant’s Cybersecurity Incident Response Team (“CIRT”) and to be kept current on all aspects related to a cyberattack, if a cybersecurity incident were to occur.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]	Registrant’s CFO has over 15 years overseeing the Company’s risk management area. Registrant’s IT Director has over 25 years in Information Technology designing, implementing and supporting various cybersecurity and technical solutions, along with ensuring compliance with multiple cybersecurity regulations.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]	To ensure that members of Registrant’s Board are informed of material cyberattacks, Registrant’s CFO and IT Director have been designated as key members of management that will provide current updates to Registrant’s ERM liaison and the Board. The communication will include but not be limited to, the nature and status of the cyberattack and Registrant’s plan to contain and mitigate the cyber threat and ultimately the remediation and recovery plan to return to “business as usual” state.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]	true

Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cyberattacks represent a threat to water, wastewater and electric utility systems. There have also been increasing threats to the information that companies maintain that have resulted in unauthorized disclosure of private customer, employee, director and corporate financial information.

Threats can come from many sources, including, but not limited to, ransomware, malicious software, credential loss or theft, supervisory control and data acquisition system takeover, equipment theft, supply chain attacks, phishing attacks, identity-based attacks, denial-of-service attacks or the actions of employees either intentional or accidental. Ransomware whereby hackers take control of a company’s systems and/or data has been identified as the most significant threat to Registrant’s critical infrastructure systems and is getting harder to detect and encrypted files are becoming harder to recover. Threat actors using ransomware have also increased their use of data, not only for direct ransom and data destruction, but also to release the data to the public. Registrant believes a breach of customer personally identifiable information is one of the most significant financial risks to it as the costs incurred could exceed the amount of its cybersecurity insurance coverage. Nevertheless, in order to continue meeting Registrant’s technological business needs and as more vendors build solutions in the cloud, Registrant expects to further expand its use of cloud-computing environments. As such, Registrant expects risks from cyberattacks and data breaches to increase due to the growth of its technological footprint in the cloud environments.

As cyberattacks have become more frequent and sophisticated, including against third-party technology providers, Registrant expects to continue to increase its investment in information and operational technology to monitor and address cyber threats and attempted cyberattacks, and to improve its posture in addressing security vulnerabilities. Registrant has implemented robust cybersecurity systems and controls to prevent any unauthorized access to information. Its platform was designed to be consistent with industry best practices such as the U.S. National Institute of Standards and Technology (“NIST”)

cybersecurity frameworks. In addition, Registrant has dedicated employees with cybersecurity technical expertise and also leverages outside cybersecurity firms. Registrant has adopted multi-layered safeguards and educational measures to protect its operations, assets and digital information. Registrant conducts mandatory quarterly cybersecurity training for all employees. Registrant also conducts specialized training for ASUS employees annually on protecting certain types of information relating to the work ASUS and its subsidiaries do with the U.S. government to comply with U.S. government contracting requirements. In addition, Registrant conducts periodic and unannounced phishing tests with all employees and vulnerability assessment and penetration tests.

Registrant has adopted a cybersecurity incident response policy, plan and set of specific instructions, which are annually reviewed by the IT cybersecurity team members. Registrant is also taking actions intended to strengthen its cybersecurity posture and to improve its cybersecurity incident response plans and operating procedures. Despite the actions Registrant has taken and is taking and the fact that, to its knowledge, it has yet to experience a cybersecurity incident, there can be no assurance that Registrant will not experience a cybersecurity incident.

Risk management, oversight and response

Cyber risk management is an ongoing iterative process that requires continuous identification, assessment and management of possible cyber threats and has become a vital part of Registrant’s overall risk management efforts. Registrant’s cybersecurity team assesses ongoing cybersecurity threats and vulnerabilities to prioritize and implement mitigation factors and defense to help contain and combat identified risks.

To keep threat and vulnerability information up-to-date, the cybersecurity team subscribes to multiple national and state-level threat and vulnerability information disclosure services, both general-purpose and industry-specific in nature. Updates from these sources include general information delivered on a daily basis and more threat-specific information delivered as required. Tools are in place within Registrant’s environment to monitor for anomalous behavior and provide rapid alerting for emerging threats and, in some cases, automated responses to threats. Registrant’s cybersecurity team meets regularly with product vendors for these tools to ensure optimal configurations are in place to protect its environment.

To determine the risk to Registrant’s systems, it engages in a continuous vulnerability management lifecycle process to identify and remediate vulnerable systems and system configurations. In this regard, Registrant leverages the NIST cybersecurity frameworks. To supplement Registrant’s internal process, the cybersecurity team regularly contracts consultants to assess system configurations, both passively through exercises such as configuration review and actively through penetration testing, and response procedures, such as tabletop exercises, to identify areas for improvement. In addition, Registrant supplements its day-to-day operations with around the clock identification, assessment and mitigation of cyber risks with third-party security services as well. Registrant is working on implementing across AWR and its subsidiaries a comprehensive, risk-based approach to identify and oversee cybersecurity risks presented by third parties, including vendors, service providers and other external users of its systems and data, as well as the systems of third parties that could adversely impact Registrant’s business in the event of a cybersecurity incident affecting those third-party systems.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Registrant has implemented robust cybersecurity systems and controls to prevent any unauthorized access to information. Its platform was designed to be consistent with industry best practices such as the U.S. National Institute of Standards and Technology (“NIST”)

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Board of Directors Oversight [Text Block]

Registrant’s Board of Directors (the “Board”) oversees enterprise risk management, or ERM, performed under the direction of Registrant’s senior management team. Cybersecurity updates, including recent findings, changes to processes or personnel changes, are provided to the ERM liaison to the Board, who is a member of the Board, and to the full Board on a quarterly basis or more frequently if needed. Cybersecurity is one component of an overall ERM framework that involves Registrant’s Board. The Board satisfies its oversight responsibility by obtaining information from the ERM liaison and senior management of Registrant, with input from the senior management of Registrant’s subsidiaries as necessary.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity updates, including recent findings, changes to processes or personnel changes, are provided to the ERM liaison to the Board, who is a member of the Board, and to the full Board on a quarterly basis or more frequently if needed. Cybersecurity is one component of an overall ERM framework that involves Registrant’s Board.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

On a quarterly basis, Registrant’s senior management will discuss plans to mitigate cybersecurity risks with the ERM liaison. The ERM liaison and Registrant’s senior management will then provide a report to the full Board regarding the critical cybersecurity risks discussed, mitigation plans and implementation of the ERM program that addresses cybersecurity risks.

Cybersecurity Risk Role of Management [Text Block]

In addition, Registrant’s plans require members of its senior management, such as its CEO and CFO, as well as members of management from its, and its subsidiaries’, Operations, Information Technology, Human Capital Management, Accounting and Legal teams to participate in Registrant’s Cybersecurity Incident Response Team (“CIRT”) and to be kept current on all aspects related to a cyberattack, if a cybersecurity incident were to occur.

Responses to cyberattacks are fast-moving and dynamic and would require an assessment of actual or potential damage performed by Registrant’s cybersecurity team. If a cyberattack were to occur, continuous engagement, communication and collaboration between Registrant’s cybersecurity team and members of its CIRT as well as third parties would likely be necessary in order to gather accurate and complete information, perform a comprehensive evaluation and assessment of the cyberattack, manage and contain the cybersecurity threat, and develop and execute a remediation and recovery plan. Members

of its CIRT team would work together to determine whether a cybersecurity breach is material and required to be reported to the Board and publicly under applicable law and regulation.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Registrant’s CFO has over 15 years overseeing the Company’s risk management area. Registrant’s IT Director has over 25 years in Information Technology designing, implementing and supporting various cybersecurity and technical solutions, along with ensuring compliance with multiple cybersecurity regulations.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

To ensure that members of Registrant’s Board are informed of material cyberattacks, Registrant’s CFO and IT Director have been designated as key members of management that will provide current updates to Registrant’s ERM liaison and the Board. The communication will include but not be limited to, the nature and status of the cyberattack and Registrant’s plan to contain and mitigate the cyber threat and ultimately the remediation and recovery plan to return to “business as usual” state.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true